GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

ChangeLog 1.83 MB
Newer Older
1 2 3 4 5
Changes in version 0.4.5.4-rc - 2021-01-22
  Tor 0.4.5.4-rc is the second release candidate in its series. It fixes
  several bugs present in previous releases.

  We expect that the stable release will be the same, or almost the
6
  same, as this release candidate, unless serious bugs are found.
7 8 9 10 11 12 13

  o Major bugfixes (authority, IPv6):
    - Do not consider multiple relays in the same IPv6 /64 network to be
      sybils. Fixes bug 40243; bugfix on 0.4.5.1-alpha.

  o Major bugfixes (directory cache, performance, windows):
    - Limit the number of items in the consensus diff cache to 64 on
Nick Mathewson's avatar
Nick Mathewson committed
14 15 16
      Windows. We hope this will mitigate an issue where Windows relay
      operators reported Tor using 100% CPU, while we investigate better
      solutions. Fixes bug 24857; bugfix on 0.3.1.1-alpha.
17 18

  o Minor feature (build system):
Nick Mathewson's avatar
Nick Mathewson committed
19 20
    - New "make lsp" command to generate the compile_commands.json file
      used by the ccls language server. The "bear" program is needed for
21 22 23
      this. Closes ticket 40227.

  o Minor features (authority, logging):
Nick Mathewson's avatar
Nick Mathewson committed
24 25
    - Log more information for directory authority operators during the
      consensus voting process, and while processing relay descriptors.
26
      Closes ticket 40245.
Nick Mathewson's avatar
Nick Mathewson committed
27 28 29
    - Reject obsolete router/extrainfo descriptors earlier and more
      quietly, to avoid spamming the logs. Fixes bug 40238; bugfix
      on 0.4.5.1-alpha.
30 31 32 33 34

  o Minor bugfixes (compilation):
    - Fix another warning about unreachable fallthrough annotations when
      building with "--enable-all-bugs-are-fatal" on some compilers.
      Fixes bug 40241; bugfix on 0.4.5.3-rc.
Nick Mathewson's avatar
Nick Mathewson committed
35 36 37
    - Change the linker flag ordering in our library search code so that
      it works for compilers that need the libraries to be listed in the
      right order. Fixes bug 33624; bugfix on 0.1.1.0-alpha.
38 39

  o Minor bugfixes (config, bridge):
Nick Mathewson's avatar
Nick Mathewson committed
40 41 42 43
    - Don't initiate a connection to a bridge configured to use a
      missing transport. This change reverts an earlier fix that would
      try to avoid such situations during configuration chcecking, but
      which doesn't work with DisableNetwork. Fixes bug 40106; bugfix
44 45 46 47 48 49 50 51
      on 0.4.5.1-alpha.

  o Minor bugfixes (onion services):
    - Avoid a non-fatal assertion in certain edge-cases when
      establishing a circuit to an onion service. Fixes bug 32666;
      bugfix on 0.3.0.3-alpha.

  o Minor bugfixes (relay):
Nick Mathewson's avatar
Nick Mathewson committed
52 53 54
    - If we were unable to build our descriptor, don't mark it as having
      been advertised. Also remove an harmless BUG(). Fixes bug 40231;
      bugfix on 0.4.5.1-alpha.
55 56


57
Changes in version 0.4.5.3-rc - 2021-01-12
Nick Mathewson's avatar
Nick Mathewson committed
58 59 60
  Tor 0.4.5.3-rc is the first release candidate in its series. It fixes
  several bugs, including one that broke onion services on certain older
  ARM CPUs.
61

Nick Mathewson's avatar
Nick Mathewson committed
62 63
  Though we anticipate that we'll be doing a bit more clean-up between
  now and the stable release, we expect that our remaining changes will
Nick Mathewson's avatar
Nick Mathewson committed
64
  be fairly simple. There will be at least one more release candidate
Nick Mathewson's avatar
Nick Mathewson committed
65
  before 0.4.5.x is stable.
66

67 68 69 70 71 72 73
  o Major bugfixes (onion service v3):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

74
  o Minor features (crypto):
Nick Mathewson's avatar
Nick Mathewson committed
75 76 77
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
Nick Mathewson's avatar
Nick Mathewson committed
78 79
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.
80 81

  o Minor features (documentation):
82 83 84
    - Mention the "!badexit" directive that can appear in an authority's
      approved-routers file, and update the description of the
      "!invalid" directive. Closes ticket 40188.
85

86 87 88 89
  o Minor bugfixes (compilation):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
90
    - Fix the "--enable-static-tor" switch to properly set the "-static"
Nick Mathewson's avatar
Nick Mathewson committed
91 92 93 94 95
      compile option onto the tor binary only. Fixes bug 40111; bugfix
      on 0.2.3.1-alpha.

  o Minor bugfixes (config, bridge):
    - Really fix the case where torrc has a missing ClientTransportPlugin
96 97 98
      but is configured with a Bridge line and UseBridges. Previously,
      we didn't look at the managed proxy list and thus would fail for
      the "exec" case. Fixes bug 40106; bugfix on 0.4.5.1-alpha.
99 100

  o Minor bugfixes (logging, relay):
Nick Mathewson's avatar
Nick Mathewson committed
101 102
    - Log our address as reported by the directory authorities, if none
      was configured or detected before. Fixes bug 40201; bugfix
Nick Mathewson's avatar
Nick Mathewson committed
103
      on 0.4.5.1-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
104 105 106
    - When a launching bandwidth testing circuit, don't incorrectly call
      it a reachability test, or trigger a "CHECKING_REACHABILITY"
      control event. Fixes bug 40205; bugfix on 0.4.5.1-alpha.
107 108

  o Minor bugfixes (relay, statistics):
Nick Mathewson's avatar
Nick Mathewson committed
109 110 111 112 113
    - Report the correct connection statistics in our extrainfo
      documents. Previously there was a problem in the file loading
      function which would wrongly truncate a state file, causing the
      wrong information to be reported. Fixes bug 40226; bugfix
      on 0.4.5.1-alpha.
114 115

  o Minor bugfixes (SOCKS5):
Nick Mathewson's avatar
Nick Mathewson committed
116 117
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
Nick Mathewson's avatar
Nick Mathewson committed
118
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.
119 120


121
Changes in version 0.4.5.2-alpha - 2020-11-23
122 123 124 125 126
  Tor 0.4.5.2-alpha is the second alpha release in the 0.4.5.x series.
  It fixes several bugs present in earlier releases, including one that
  made it impractical to run relays on Windows. It also adds a few small
  safety features to improve Tor's behavior in the presence of strange
  compile-time options, misbehaving proxies, and future versions
127
  of OpenSSL.
128 129

  o Major bugfixes (relay, windows):
130 131 132 133 134 135
    - Fix a bug in our implementation of condition variables on Windows.
      Previously, a relay on Windows would use 100% CPU after running
      for some time. Because of this change, Tor now require Windows
      Vista or later to build and run. Fixes bug 30187; bugfix on
      0.2.6.3-alpha. (This bug became more serious in 0.3.1.1-alpha with
      the introduction of consensus diffs.) Patch by Daniel Pinto.
136 137 138

  o Minor features (compilation):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
139
      later. There are a number of APIs newly deprecated in OpenSSL
140
      3.0.0 that Tor still requires. (A later version of Tor will try to
141
      stop depending on these APIs.) Closes ticket 40165.
142 143 144

  o Minor features (protocol, proxy support, defense in depth):
    - Respond more deliberately to misbehaving proxies that leave
145 146 147
      leftover data on their connections, so as to make Tor even less
      likely to allow the proxies to pass their data off as having come
      from a relay. Closes ticket 40017.
148 149 150 151 152 153 154

  o Minor features (safety):
    - Log a warning at startup if Tor is built with compile-time options
      that are likely to make it less stable or reliable. Closes
      ticket 18888.

  o Minor bugfixes (circuit, handshake):
155 156
    - In the v3 handshaking code, use connection_or_change_state() to
      change the state. Previously, we changed the state directly, but
157 158
      this did not pass the state change to the pubsub or channel
      objects, potentially leading to bugs. Fixes bug 32880; bugfix on
159
      0.2.3.6-alpha. Patch by Neel Chauhan.
160 161

  o Minor bugfixes (compilation):
162 163 164
    - Use the correct 'ranlib' program when building libtor.a.
      Previously we used the default ranlib, which broke some kinds of
      cross-compilation. Fixes bug 40172; bugfix on 0.4.5.1-alpha.
165 166
    - Remove a duplicate typedef in metrics_store.c. Fixes bug 40177;
      bugfix on 0.4.5.1-alpha.
167
    - When USDT tracing is enabled, and STAP_PROBEV() is missing, don't
168 169
      attempt to build. Linux supports that macro but not the BSDs.
      Fixes bug 40174; bugfix on 0.4.5.1-alpha.
170

171
  o Minor bugfixes (configuration):
172 173 174 175 176 177
    - Exit Tor on a misconfiguration when the Bridge line is configured
      to use a transport but no corresponding ClientTransportPlugin can
      be found. Prior to this fix, Tor would attempt to connect to the
      bridge directly without using the transport, making it easier for
      adversaries to notice the bridge. Fixes bug 25528; bugfix
      on 0.2.6.1-alpha.
178
    - Fix an issue where an ORPort was compared with other kinds of
179
      ports, when it should have been only checked against other
180 181
      ORPorts. This bug would lead to "DirPort auto" getting ignored.
      Fixes bug 40195; bugfix on 0.4.5.1-alpha.
182
    - Fix a bug where a second non-ORPort with a variant family (ex:
183 184
      SocksPort [::1]:9050) would be ignored due to a configuration
      parsing error. Fixes bug 40183; bugfix on 0.4.5.1-alpha.
185

186
  o Minor bugfixes (crash, relay, signing key):
187 188
    - Avoid assertion failures when we run Tor from the command line
      with `--key-expiration sign`, but an ORPort is not set. Fixes bug
189
      40015; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan.
190 191

  o Minor bugfixes (logging):
192
    - Remove trailing whitespace from control event log messages. Fixes
193 194
      bug 32178; bugfix on 0.1.1.1-alpha. Based on a patch by
      Amadeusz Pawlik.
195 196 197
    - Turn warning-level log message about SENDME failure into a debug-
      level message. (This event can happen naturally, and is no reason
      for concern). Fixes bug 40142; bugfix on 0.4.1.1-alpha.
198

199 200
  o Minor bugfixes (relay, address discovery):
    - Don't trigger an IP change when no new valid IP can be found.
201
      Fixes bug 40071; bugfix on 0.4.5.1-alpha.
202 203 204 205
    - When attempting to discover our IP, use a simple test circuit,
      rather than a descriptor fetch: the same address information is
      present in NETINFO cells, and is better authenticated there. Fixes
      bug 40071; bugfix on 0.4.5.1-alpha.
206 207

  o Minor bugfixes (testing):
208
    - Fix the `config/parse_tcp_proxy_line` test so that it works
209 210 211 212 213 214 215 216 217 218
      correctly on systems where the DNS provider hijacks invalid
      queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
    - Fix unit tests that used newly generated list of routers so that
      they check them with respect to the date when they were generated,
      not with respect to the current time. Fixes bug 40187; bugfix
      on 0.4.5.1-alpha.
    - Fix our Python reference-implementation for the v3 onion service
      handshake so that it works correctly with the version of hashlib
      provided by Python 3.9. Fixes part of bug 40179; bugfix
      on 0.3.1.6-rc.
219
    - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
220 221 222 223 224 225 226
      3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.

  o Removed features (controller):
    - Remove the "GETINFO network-status" controller command. It has
      been deprecated since 0.3.1.1-alpha. Closes ticket 22473.


227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296
Changes in version 0.4.4.6 - 2020-11-12
  Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It
  backports fixes from later releases, including a fix for TROVE-2020-
  005, a security issue that could be used, under certain cases, by an
  adversary to observe traffic patterns on a limited number of circuits
  intended for a different relay.

  o Major bugfixes (security, backport from 0.4.5.1-alpha):
    - When completing a channel, relays now check more thoroughly to
      make sure that it matches any pending circuits before attaching
      those circuits. Previously, address correctness and Ed25519
      identities were not checked in this case, but only when extending
      circuits on an existing channel. Fixes bug 40080; bugfix on
      0.2.7.2-alpha. Resolves TROVE-2020-005.

  o Minor features (directory authorities, backport from 0.4.5.1-alpha):
    - Authorities now list a different set of protocols as required and
      recommended. These lists have been chosen so that only truly
      recommended and/or required protocols are included, and so that
      clients using 0.2.9 or later will continue to work (even though
      they are not supported), whereas only relays running 0.3.5 or
      later will meet the requirements. Closes ticket 40162.
    - Make it possible to specify multiple ConsensusParams torrc lines.
      Now directory authority operators can for example put the main
      ConsensusParams config in one torrc file and then add to it from a
      different torrc file. Closes ticket 40164.

  o Minor features (subprotocol versions, backport from 0.4.5.1-alpha):
    - Tor no longer allows subprotocol versions larger than 63.
      Previously version numbers up to UINT32_MAX were allowed, which
      significantly complicated our code. Implements proposal 318;
      closes ticket 40133.

  o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha):
    - Fix a rendezvous cache unit test that was triggering an underflow
      on the global rend cache allocation. Fixes bug 40125; bugfix
      on 0.2.8.1-alpha.
    - Fix another rendezvous cache unit test that was triggering an
      underflow on the global rend cache allocation. Fixes bug 40126;
      bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (compilation, backport from 0.4.5.1-alpha):
    - Fix compiler warnings that would occur when building with
      "--enable-all-bugs-are-fatal" and "--disable-module-relay" at the
      same time. Fixes bug 40129; bugfix on 0.4.4.1-alpha.
    - Resolve a compilation warning that could occur in
      test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (logging, backport from 0.4.5.1-alpha):
    - Remove a debug logging statement that uselessly spammed the logs.
      Fixes bug 40135; bugfix on 0.3.5.0-alpha.

  o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha):
    - Avoid a fatal assert() when failing to create a listener
      connection for an address that was in use. Fixes bug 40073; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (v2 onion services, backport from 0.4.5.1-alpha):
    - For HSFETCH commands on v2 onion services addresses, check the
      length of bytes decoded, not the base32 length. Fixes bug 34400;
      bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.


Changes in version 0.4.3.7 - 2020-11-12
  Tor 0.4.3.7 backports several bugfixes from later releases. It
  includes a fix for TROVE-2020-005, a security issue that could be
  used, under certain cases, by an adversary to observe traffic patterns
  on a limited number of circuits intended for a different relay.

  Please be aware that support for the 0.4.3.x series will end on 15
Nick Mathewson's avatar
Nick Mathewson committed
297
  February 2021. Please upgrade to 0.4.4.x or 0.4.5.x before then, or
298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511
  downgrade to 0.3.5.x, which will be supported until at least 1
  February 2022.

  o Major features (fallback directory list, backport form 0.4.4.3-alpha):
    - Replace the 148 fallback directories originally included in Tor
      0.4.1.4-rc (of which around 105 are still functional) with a list
      of 144 fallbacks generated in July 2020. Closes ticket 40061.

  o Major bugfixes (security, backport from 0.4.5.1-alpha):
    - When completing a channel, relays now check more thoroughly to
      make sure that it matches any pending circuits before attaching
      those circuits. Previously, address correctness and Ed25519
      identities were not checked in this case, but only when extending
      circuits on an existing channel. Fixes bug 40080; bugfix on
      0.2.7.2-alpha. Resolves TROVE-2020-005.

  o Major bugfixes (NSS, backport from 0.4.4.3-alpha):
    - When running with NSS enabled, make sure that NSS knows to expect
      nonblocking sockets. Previously, we set our TCP sockets as
      nonblocking, but did not tell NSS, which in turn could lead to
      unexpected blocking behavior. Fixes bug 40035; bugfix
      on 0.3.5.1-alpha.

  o Minor features (security, backport from 0.4.4.4-rc):
    - Channels using obsolete versions of the Tor link protocol are no
      longer allowed to circumvent address-canonicity checks. (This is
      only a minor issue, since such channels have no way to set ed25519
      keys, and therefore should always be rejected for circuits that
      specify ed25519 identities.) Closes ticket 40081.

  o Minor features (subprotocol versions, backport from 0.4.5.1-alpha):
    - Tor no longer allows subprotocol versions larger than 63.
      Previously version numbers up to UINT32_MAX were allowed, which
      significantly complicated our code. Implements proposal 318;
      closes ticket 40133.

  o Minor features (tests, backport from 0.4.4.5):
    - Our "make check" target now runs the unit tests in 8 parallel
      chunks. Doing this speeds up hardened CI builds by more than a
      factor of two. Closes ticket 40098.

  o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha):
    - Fix a rendezvous cache unit test that was triggering an underflow
      on the global rend cache allocation. Fixes bug 40125; bugfix
      on 0.2.8.1-alpha.
    - Fix another rendezvous cache unit test that was triggering an
      underflow on the global rend cache allocation. Fixes bug 40126;
      bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (correctness, buffers, backport from 0.4.4.4-rc):
    - Fix a correctness bug that could cause an assertion failure if we
      ever tried using the buf_move_all() function with an empty input
      buffer. As far as we know, no released versions of Tor do this.
      Fixes bug 40076; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.5.1-alpha):
    - Remove a debug logging statement that uselessly spammed the logs.
      Fixes bug 40135; bugfix on 0.3.5.0-alpha.

  o Minor bugfixes (rate limiting, bridges, pluggable transports, backport from 0.4.4.4-rc):
    - On a bridge, treat all connections from an ExtORPort as remote by
      default for the purposes of rate-limiting. Previously, bridges
      would treat the connection as local unless they explicitly
      received a "USERADDR" command. ExtORPort connections still count
      as local if there is a USERADDR command with an explicit local
      address. Fixes bug 33747; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha):
    - Avoid a fatal assert() when failing to create a listener
      connection for an address that was in use. Fixes bug 40073; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (relay, usability, backport from 0.4.4.3-alpha):
    - Adjust the rules for when to warn about having too many
      connections to other relays. Previously we'd tolerate up to 1.5
      connections per relay on average. Now we tolerate more connections
      for directory authorities, and raise the number of total
      connections we need to see before we warn. Fixes bug 33880; bugfix
      on 0.3.1.1-alpha.

  o Minor bugfixes (tests, 0.4.4.5):
    - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run
      on its own. Previously, it would exit with an error. Fixes bug
      40099; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (v2 onion services, backport from 0.4.5.1-alpha):
    - For HSFETCH commands on v2 onion services addresses, check the
      length of bytes decoded, not the base32 length. Fixes bug 34400;
      bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (windows, backport from 0.4.4.4-rc):
    - Fix a bug that prevented Tor from starting if its log file grew
      above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha.

  o Deprecated features (onion service v2, backport form 0.4.4.2-alpha):
    - Add a deprecation warning for version 2 onion services. Closes
      ticket 40003.

  o Removed features (backport from 0.4.4.3-alpha):
    - Our "check-local" test target no longer tries to use the
      Coccinelle semantic patching tool parse all the C files. While it
      is a good idea to try to make sure Coccinelle works on our C
      before we run a Coccinelle patch, doing so on every test run has
      proven to be disruptive. You can still run this tool manually with
      "make check-cocci". Closes ticket 40030. ticket 40030.


Changes in version 0.3.5.12 - 2020-11-12
  Tor 0.4.3.7 backports several bugfixes from later releases. It
  includes a fix for TROVE-2020-005, a security issue that could be
  used, under certain cases, by an adversary to observe traffic patterns
  on a limited number of circuits intended for a different relay.

  o Major features (fallback directory list, backport form 0.4.4.3-alpha):
    - Replace the 148 fallback directories originally included in Tor
      0.4.1.4-rc (of which around 105 are still functional) with a list
      of 144 fallbacks generated in July 2020. Closes ticket 40061.

  o Major bugfixes (security, backport from 0.4.5.1-alpha):
    - When completing a channel, relays now check more thoroughly to
      make sure that it matches any pending circuits before attaching
      those circuits. Previously, address correctness and Ed25519
      identities were not checked in this case, but only when extending
      circuits on an existing channel. Fixes bug 40080; bugfix on
      0.2.7.2-alpha. Resolves TROVE-2020-005.

  o Major bugfixes (NSS, backport from 0.4.4.3-alpha):
    - When running with NSS enabled, make sure that NSS knows to expect
      nonblocking sockets. Previously, we set our TCP sockets as
      nonblocking, but did not tell NSS, which in turn could lead to
      unexpected blocking behavior. Fixes bug 40035; bugfix
      on 0.3.5.1-alpha.

  o Minor features (security, backport from 0.4.4.4-rc):
    - Channels using obsolete versions of the Tor link protocol are no
      longer allowed to circumvent address-canonicity checks. (This is
      only a minor issue, since such channels have no way to set ed25519
      keys, and therefore should always be rejected for circuits that
      specify ed25519 identities.) Closes ticket 40081.

  o Minor features (debugging, directory system):
    - Don't crash when we find a non-guard with a guard-fraction value
      set. Instead, log a bug warning, in an attempt to figure out how
      this happened. Diagnostic for ticket 32868.

  o Minor features (subprotocol versions, backport from 0.4.5.1-alpha):
    - Tor no longer allows subprotocol versions larger than 63.
      Previously version numbers up to UINT32_MAX were allowed, which
      significantly complicated our code. Implements proposal 318;
      closes ticket 40133.

  o Minor features (tests, backport from 0.4.4.5):
    - Our "make check" target now runs the unit tests in 8 parallel
      chunks. Doing this speeds up hardened CI builds by more than a
      factor of two. Closes ticket 40098.

  o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha):
    - Fix a rendezvous cache unit test that was triggering an underflow
      on the global rend cache allocation. Fixes bug 40125; bugfix
      on 0.2.8.1-alpha.
    - Fix another rendezvous cache unit test that was triggering an
      underflow on the global rend cache allocation. Fixes bug 40126;
      bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (correctness, buffers, backport from 0.4.4.4-rc):
    - Fix a correctness bug that could cause an assertion failure if we
      ever tried using the buf_move_all() function with an empty input
      buffer. As far as we know, no released versions of Tor do this.
      Fixes bug 40076; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.5.1-alpha):
    - Remove a debug logging statement that uselessly spammed the logs.
      Fixes bug 40135; bugfix on 0.3.5.0-alpha.

  o Minor bugfixes (rate limiting, bridges, pluggable transports, backport from 0.4.4.4-rc):
    - On a bridge, treat all connections from an ExtORPort as remote by
      default for the purposes of rate-limiting. Previously, bridges
      would treat the connection as local unless they explicitly
      received a "USERADDR" command. ExtORPort connections still count
      as local if there is a USERADDR command with an explicit local
      address. Fixes bug 33747; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha):
    - Avoid a fatal assert() when failing to create a listener
      connection for an address that was in use. Fixes bug 40073; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (relay, usability, backport from 0.4.4.3-alpha):
    - Adjust the rules for when to warn about having too many
      connections to other relays. Previously we'd tolerate up to 1.5
      connections per relay on average. Now we tolerate more connections
      for directory authorities, and raise the number of total
      connections we need to see before we warn. Fixes bug 33880; bugfix
      on 0.3.1.1-alpha.

  o Minor bugfixes (relays, backport from 0.4.4.1-alpha):
    - Stop advertising incorrect IPv6 ORPorts in relay and bridge
      descriptors, when the IPv6 port was configured as "auto". Fixes
      bug 32588; bugfix on 0.2.3.9-alpha.

  o Minor bugfixes (tests, 0.4.4.5):
    - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run
      on its own. Previously, it would exit with an error. Fixes bug
      40099; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (windows, backport from 0.4.4.4-rc):
    - Fix a bug that prevented Tor from starting if its log file grew
      above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha.

  o Deprecated features (onion service v2, backport form 0.4.4.2-alpha):
    - Add a deprecation warning for version 2 onion services. Closes
      ticket 40003.


512
Changes in version 0.4.5.1-alpha - 2020-11-01
Nick Mathewson's avatar
Nick Mathewson committed
513 514
  Tor 0.4.5.1-alpha is the first alpha release in the 0.4.5.x series. It
  improves support for IPv6, address discovery and self-testing, code
515 516
  metrics and tracing.

517 518 519 520 521 522 523 524
  This release also fixes TROVE-2020-005, a security issue that could be
  used, under certain cases, by an adversary to observe traffic patterns
  on a limited number of circuits intended for a different relay. To
  mount this attack, the adversary would need to actively extend
  circuits to an incorrect address, as well as compromise a relay's
  legacy RSA-1024 key. We'll be backporting this fix to other release
  series soon, after it has had some testing.

525 526
  Here are the changes since 0.4.4.5.

527 528 529 530
  o Major features (build):
    - When building Tor, first link all object files into a single
      static library. This may help with embedding Tor in other
      programs. Note that most Tor functions do not constitute a part of
531
      a stable or supported API: only those functions in tor_api.h
532 533
      should be used if embedding Tor. Closes ticket 40127.

534
  o Major features (metrics):
535 536 537 538 539
    - Introduce a new MetricsPort which exposes, through an HTTP
      interface, a series of metrics that tor collects at runtime. At
      the moment, the only supported output format is Prometheus data
      model. Closes ticket 40063. See the manual page for more
      information and security considerations.
540
  o Major features (relay, IPv6):
541 542 543
    - The torrc option Address now supports IPv6. This unifies our
      address discovery interface to support IPv4, IPv6, and hostnames.
      Closes ticket 33233.
Nick Mathewson's avatar
Nick Mathewson committed
544 545
    - Launch IPv4 and IPv6 ORPort self-test circuits on relays and
      bridges. Closes ticket 33222.
546
    - Relays now automatically bind on IPv6 for their ORPort, unless
Nick Mathewson's avatar
Nick Mathewson committed
547
      specified otherwise with the IPv4Only flag. Closes ticket 33246.
548 549 550 551 552 553 554 555
    - When a relay with IPv6 support is told to open a connection to
      another relay, and the extend cell lists both IPv4 and IPv6
      addresses, the first relay now picks randomly which address to
      use. Closes ticket 33220.
    - Relays now track their IPv6 ORPort reachability separately from
      the reachability of their IPv4 ORPort. They will not publish a
      descriptor unless _both_ ports appear to be externally reachable.
      Closes ticket 34067.
556

Nick Mathewson's avatar
Nick Mathewson committed
557
  o Major features (tracing):
558 559 560
    - Add event-tracing library support for USDT and LTTng-UST, and a
      few tracepoints in the circuit subsystem. More will come
      incrementally. This feature is compiled out by default: it needs
Nick Mathewson's avatar
Nick Mathewson committed
561 562 563
      to be enabled at configure time. See documentation in
      doc/HACKING/Tracing.md. Closes ticket 32910.

564 565 566 567 568 569 570 571 572
  o Major bugfixes (security):
    - When completing a channel, relays now check more thoroughly to
      make sure that it matches any pending circuits before attaching
      those circuits. Previously, address correctness and Ed25519
      identities were not checked in this case, but only when extending
      circuits on an existing channel. Fixes bug 40080; bugfix on
      0.2.7.2-alpha. Resolves TROVE-2020-005.

  o Major bugfixes (TLS, buffer):
Nick Mathewson's avatar
Nick Mathewson committed
573
    - When attempting to read N bytes on a TLS connection, really try to
574 575 576 577
      read all N bytes. Previously, Tor would stop reading after the
      first TLS record, which can be smaller than the N bytes requested,
      and not check for more data until the next mainloop event. Fixes
      bug 40006; bugfix on 0.1.0.5-rc.
578 579

  o Minor features (address discovery):
Nick Mathewson's avatar
Nick Mathewson committed
580 581 582 583
    - If no Address statements are found, relays now prioritize guessing
      their address by looking at the local interface instead of the
      local hostname. If the interface address can't be found, the local
      hostname is used. Closes ticket 33238.
584 585

  o Minor features (admin tools):
586 587 588 589
    - Add a new --format argument to -key-expiration option to allow
      specifying the time format of the expiration date. Adds Unix
      timestamp format support. Patch by Daniel Pinto. Closes
      ticket 30045.
590 591 592 593 594

  o Minor features (bootstrap reporting):
    - When reporting bootstrapping status on a relay, do not consider
      connections that have never been the target of an origin circuit.
      Previously, all connection failures were treated as potential
595
      bootstrapping failures, including connections that had been opened
Nick Mathewson's avatar
Nick Mathewson committed
596
      because of client requests. Closes ticket 25061.
597 598

  o Minor features (build):
Nick Mathewson's avatar
Nick Mathewson committed
599
    - When running the configure script, try to detect version
600
      mismatches between the OpenSSL headers and libraries, and suggest
Nick Mathewson's avatar
Nick Mathewson committed
601
      that the user should try "--with-openssl-dir". Closes 40138.
602 603
    - If the configure script has given any warnings, remind the user
      about them at the end of the script. Related to 40138.
Nick Mathewson's avatar
Nick Mathewson committed
604 605

  o Minor features (configuration):
606
    - Allow using wildcards (* and ?) with the %include option on
Nick Mathewson's avatar
Nick Mathewson committed
607
      configuration files. Closes ticket 25140. Patch by Daniel Pinto.
608
    - Allow the configuration options EntryNodes, ExcludeNodes,
Nick Mathewson's avatar
Nick Mathewson committed
609 610 611
      ExcludeExitNodes, ExitNodes, MiddleNodes, HSLayer2Nodes and
      HSLayer3Nodes to be specified multiple times. Closes ticket 28361.
      Patch by Daniel Pinto.
612 613

  o Minor features (control port):
614 615
    - Add a DROPTIMEOUTS command to drop circuit build timeout history
      and reset the current timeout. Closes ticket 40002.
616
    - When a stream enters the AP_CONN_STATE_CONTROLLER_WAIT status,
617
      send a control port event. Closes ticket 32190. Patch by
Nick Mathewson's avatar
Nick Mathewson committed
618
      Neel Chauhan.
619
    - Introduce GETINFO "stats/ntor/{assigned/requested}" and
620 621 622
      "stats/tap/{assigned/requested}" to get the NTor and TAP circuit
      onion handshake counts respectively. Closes ticket 28279. Patch by
      Neel Chauhan.
623

624
  o Minor features (control port, IPv6):
Nick Mathewson's avatar
Nick Mathewson committed
625 626
    - Tor relays now try to report to the controller when they are
      launching an IPv6 self-test. Closes ticket 34068.
627 628 629 630
    - Introduce "GETINFO address/v4" and "GETINFO address/v6" in the
      control port to fetch the Tor host's respective IPv4 or IPv6
      address. We keep "GETINFO address" for backwards-compatibility.
      Closes ticket 40039. Patch by Neel Chauhan.
631 632

  o Minor features (directory authorities):
633
    - Authorities now list a different set of protocols as required and
634 635 636 637 638 639 640 641
      recommended. These lists have been chosen so that only truly
      recommended and/or required protocols are included, and so that
      clients using 0.2.9 or later will continue to work (even though
      they are not supported), whereas only relays running 0.3.5 or
      later will meet the requirements. Closes ticket 40162.
    - Add a new consensus method 30 that removes the unnecessary "="
      padding from ntor-onion-key. Closes ticket 7869. Patch by
      Daniel Pinto.
642
    - Directory authorities now reject descriptors from relays running
643 644
      Tor versions from the obsolete 0.4.1 series. Resolves ticket
      34357. Patch by Neel Chauhan.
645 646
    - Make it possible to specify multiple ConsensusParams torrc lines.
      Now directory authority operators can for example put the main
Nick Mathewson's avatar
Nick Mathewson committed
647 648
      ConsensusParams config in one torrc file and then add to it from a
      different torrc file. Closes ticket 40164.
649 650
    - The AssumeReachable option no longer stops directory authorities
      from checking whether other relays are running. A new
Nick Mathewson's avatar
Nick Mathewson committed
651 652
      AuthDirTestReachability option can be used to disable these
      checks. Closes ticket 34445.
653
    - When looking for possible Sybil attacks, also consider IPv6
Nick Mathewson's avatar
Nick Mathewson committed
654 655 656
      addresses. Two routers are considered to have "the same" address
      by this metric if they are in the same /64 network. Patch from
      Maurice Pibouin. Closes ticket 7193.
657

658
  o Minor features (directory authorities, IPv6):
659 660 661
    - Make authorities add their IPv6 ORPort (if any) to the trusted
      servers list. Authorities previously added only their IPv4
      addresses. Closes ticket 32822.
662

663 664
  o Minor features (ed25519, relay):
    - Save a relay's base64-encoded ed25519 identity key to the data
Nick Mathewson's avatar
Nick Mathewson committed
665 666
      directory in a file named fingerprint-ed25519. Closes ticket
      30642. Patch by Neel Chauhan.
667 668 669

  o Minor features (heartbeat):
    - Include the total number of inbound and outbound IPv4 and IPv6
670
      connections in the heartbeat message. Closes ticket 29113.
671 672

  o Minor features (IPv6, ExcludeNodes):
673 674
    - Handle IPv6 addresses in ExcludeNodes; previously they were
      ignored. Closes ticket 34065. Patch by Neel Chauhan.
675 676

  o Minor features (logging):
677 678 679 680 681
    - Add the running glibc version to the log, and the compiled glibc
      version to the library list returned when using --library-versions.
      Patch from Daniel Pinto. Closes ticket 40047.
    - Consider an HTTP 301 response to be an error (like a 404) when
      processing a directory response. Closes ticket 40053.
Nick Mathewson's avatar
Nick Mathewson committed
682 683
    - Log directory fetch statistics as a single line. Closes
      ticket 40159.
684 685
    - Provide more complete descriptions of our connections when logging
      about them. Closes ticket 40041.
686
    - When describing a relay in the logs, we now include its ed25519
Nick Mathewson's avatar
Nick Mathewson committed
687
      identity. Closes ticket 22668.
688 689

  o Minor features (onion services):
690 691 692
    - Only overwrite an onion service's existing hostname file if its
      contents are wrong. This enables read-only onion-service
      directories. Resolves ticket 40062. Patch by Neel Chauhan.
693 694

  o Minor features (pluggable transports):
695 696 697 698 699
    - Add an OutboundBindAddressPT option to allow users to specify
      which IPv4 and IPv6 address pluggable transports should use for
      outgoing IP packets. Tor does not have a way to enforce that the
      pluggable transport honors this option, so each pluggable transport
      needs to implement support on its own. Closes ticket 5304.
700 701

  o Minor features (relay address tracking):
702 703 704
    - We now store relay addresses for OR connections in a more logical
      way. Previously we would sometimes overwrite the actual address of
      a connection with a "canonical address", and then store the "real
Nick Mathewson's avatar
Nick Mathewson committed
705 706 707
      address" elsewhere to remember it. We now track the "canonical
      address" elsewhere for the cases where we need it, and leave the
      connection's address alone. Closes ticket 33898.
708 709

  o Minor features (relay):
Nick Mathewson's avatar
Nick Mathewson committed
710 711 712 713 714 715 716 717
    - If a relay is unable to discover its address, attempt to learn it
      from the NETINFO cell. Closes ticket 40022.
    - Log immediately when launching a relay self-check. Previously we
      would try to log before launching checks, or approximately when we
      intended to launch checks, but this tended to be error-prone.
      Closes ticket 34137.

  o Minor features (relay, address discovery):
718 719 720
    - If Address option is not found in torrc, attempt to learn our
      address with the configured ORPort address if any. Closes
      ticket 33236.
721 722 723 724

  o Minor features (relay, IPv6):
    - Add an AssumeReachableIPv6 option to disable self-checking IPv6
      reachability. Closes part of ticket 33224.
725 726 727 728
    - Add new "assume-reachable" and "assume-reachable-ipv6" consensus
      parameters to be used in an emergency to tell relays that they
      should publish even if they cannot complete their ORPort self-
      checks. Closes ticket 34064 and part of 33224.
729 730 731 732 733
    - Allow relays to send IPv6-only extend cells. Closes ticket 33222.
    - Declare support for the Relay=3 subprotocol version. Closes
      ticket 33226.
    - When launching IPv6 ORPort self-test circuits, make sure that the
      second-last hop can initiate an IPv6 extend. Closes ticket 33222.
734 735

  o Minor features (specification update):
Nick Mathewson's avatar
Nick Mathewson committed
736 737 738
    - Several fields in microdescriptors, router descriptors, and
      consensus documents that were formerly optional are now required.
      Implements proposal 315; closes ticket 40132.
739

740
  o Minor features (state management):
Nick Mathewson's avatar
Nick Mathewson committed
741 742
    - When loading the state file, remove entries from the statefile
      that have been obsolete for a long time. Ordinarily Tor preserves
743
      unrecognized entries in order to keep forward-compatibility, but
744
      these entries have not actually been used in any release since
745
      before 0.3.5.x. Closes ticket 40137.
746 747

  o Minor features (statistics, ipv6):
Nick Mathewson's avatar
Nick Mathewson committed
748 749
    - Relays now publish IPv6-specific counts of single-direction versus
      bidirectional relay connections. Closes ticket 33264.
750
    - Relays now publish their IPv6 read and write statistics over time,
Nick Mathewson's avatar
Nick Mathewson committed
751
      if statistics are enabled. Closes ticket 33263.
752 753

  o Minor features (subprotocol versions):
754 755 756 757
    - Tor no longer allows subprotocol versions larger than 63.
      Previously version numbers up to UINT32_MAX were allowed, which
      significantly complicated our code. Implements proposal 318;
      closes ticket 40133.
758
    - Use the new limitations on subprotocol versions due to proposal
Nick Mathewson's avatar
Nick Mathewson committed
759
      318 to simplify our implementation. Part of ticket 40133.
760 761

  o Minor features (testing configuration):
762 763 764
    - The TestingTorNetwork option no longer implicitly sets
      AssumeReachable to 1. This change allows us to test relays' self-
      testing mechanisms, and to test authorities' relay-testing
Nick Mathewson's avatar
Nick Mathewson committed
765
      functionality. Closes ticket 34446.
766 767 768 769 770

  o Minor features (testing):
    - Added unit tests for channel_matches_target_addr_for_extend().
      Closes Ticket 33919. Patch by MrSquanchee.

771 772 773 774 775 776 777
  o Minor features (tests, v2 onion services):
    - Fix a rendezvous cache unit test that was triggering an underflow
      on the global rend cache allocation. Fixes bug 40125; bugfix
      on 0.2.8.1-alpha.
    - Fix another rendezvous cache unit test that was triggering an
      underflow on the global rend cache allocation. Fixes bug 40126;
      bugfix on 0.2.8.1-alpha.
778 779 780

  o Minor bugfixes (circuit padding):
    - When circpad_send_padding_cell_for_callback is called,
Nick Mathewson's avatar
Nick Mathewson committed
781 782 783
      `is_padding_timer_scheduled` flag was not reset. Now it is set to
      0 at the top of that function. Fixes bug 32671; bugfix
      on 0.4.0.1-alpha.
784
    - Add a per-circuit padding machine instance counter, so we can
Nick Mathewson's avatar
Nick Mathewson committed
785
      differentiate between shutdown requests for old machines on a
786
      circuit. Fixes bug 30992; bugfix on 0.4.1.1-alpha.
787
    - Add the ability to keep circuit padding machines if they match a
788
      set of circuit states or purposes. This allows us to have machines
Nick Mathewson's avatar
Nick Mathewson committed
789 790 791 792
      that start up under some conditions but don't shut down under
      others. We now use this mask to avoid starting up introduction
      circuit padding again after the machines have already completed.
      Fixes bug 32040; bugfix on 0.4.1.1-alpha.
793 794 795

  o Minor bugfixes (compatibility):
    - Strip '\r' characters when reading text files on Unix platforms.
Nick Mathewson's avatar
Nick Mathewson committed
796 797
      This should resolve an issue where a relay operator migrates a
      relay from Windows to Unix, but does not change the line ending of
798 799
      Tor's various state files to match the platform, and the CRLF line
      endings from Windows end up leaking into other files such as the
Nick Mathewson's avatar
Nick Mathewson committed
800
      extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.
801 802 803

  o Minor bugfixes (compilation):
    - Fix compiler warnings that would occur when building with
Nick Mathewson's avatar
Nick Mathewson committed
804 805 806 807
      "--enable-all-bugs-are-fatal" and "--disable-module-relay" at the
      same time. Fixes bug 40129; bugfix on 0.4.4.1-alpha.
    - Resolve a compilation warning that could occur in
      test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.
808 809

  o Minor bugfixes (configuration):
Nick Mathewson's avatar
Nick Mathewson committed
810 811 812 813
    - Fix bug where %including a pattern ending with */ would include
      files and folders (instead of folders only) in versions of glibc <
      2.19. Fixes bug 40141; bugfix on 0.4.5.0-alpha-dev. Patch by
      Daniel Pinto.
814

815 816 817 818 819 820
  o Minor bugfixes (control port):
    - Make sure we send the SOCKS request address in relay begin cells
      when a stream is attached with the purpose
      CIRCUIT_PURPOSE_CONTROLLER. Fixes bug 33124; bugfix on 0.0.5.
      Patch by Neel Chauhan.

821
  o Minor bugfixes (logging):
822
    - Remove a debug logging statement that uselessly spammed the logs.
Nick Mathewson's avatar
Nick Mathewson committed
823 824 825 826 827 828 829
      Fixes bug 40135; bugfix on 0.3.5.0-alpha.
    - When logging a rate-limited message about how many messages have
      been suppressed in the last N seconds, give an accurate value for
      N, rounded up to the nearest minute. Previously we would report
      the size of the rate-limiting interval, regardless of when the
      messages started to occur. Fixes bug 19431; bugfix
      on 0.2.2.16-alpha.
830 831

  o Minor bugfixes (relay configuration, crash):
Nick Mathewson's avatar
Nick Mathewson committed
832 833 834
    - Avoid a fatal assert() when failing to create a listener
      connection for an address that was in use. Fixes bug 40073; bugfix
      on 0.3.5.1-alpha.
835 836 837

  o Minor bugfixes (rust, protocol versions):
    - Declare support for the onion service introduction point denial of
838
      service extensions when building with Rust. Fixes bug 34248;
Nick Mathewson's avatar
Nick Mathewson committed
839
      bugfix on 0.4.2.1-alpha.
840
    - Make Rust protocol version support checks consistent with the
841 842
      undocumented error behavior of the corresponding C code. Fixes bug
      34251; bugfix on 0.3.3.5-rc.
843 844

  o Minor bugfixes (self-testing):
Nick Mathewson's avatar
Nick Mathewson committed
845 846 847 848 849
    - When receiving an incoming circuit, only accept it as evidence
      that we are reachable if the declared address of its channel is
      the same address we think that we have. Otherwise, it could be
      evidence that we're reachable on some other address. Fixes bug
      20165; bugfix on 0.1.0.1-rc.
850 851 852

  o Minor bugfixes (spec conformance):
    - Use the correct key type when generating signing->link
Nick Mathewson's avatar
Nick Mathewson committed
853
      certificates. Fixes bug 40124; bugfix on 0.2.7.2-alpha.
854

855 856 857
  o Minor bugfixes (subprotocol versions):
    - Consistently reject extra commas, instead of only rejecting
      leading commas. Fixes bug 27194; bugfix on 0.2.9.4-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
858 859 860 861 862
    - In summarize_protover_flags(), treat empty strings the same as
      NULL. This prevents protocols_known from being set. Previously, we
      treated empty strings as normal strings, which led to
      protocols_known being set. Fixes bug 34232; bugfix on
      0.3.3.2-alpha. Patch by Neel Chauhan.
863 864

  o Minor bugfixes (v2 onion services):
Nick Mathewson's avatar
Nick Mathewson committed
865
    - For HSFETCH commands on v2 onion services addresses, check the
866 867
      length of bytes decoded, not the base32 length. Fixes bug 34400;
      bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.
868 869

  o Code simplification and refactoring:
870
    - Add and use a set of functions to perform down-casts on constant
871
      connection and channel pointers. Closes ticket 40046.
Nick Mathewson's avatar
Nick Mathewson committed
872 873 874 875
    - Refactor our code that logs descriptions of connections, channels,
      and the peers on them, to use a single call path. This change
      enables us to refactor the data types that they use, and eliminates
      many confusing usages of those types. Closes ticket 40041.
876 877
    - Refactor some common node selection code into a single function.
      Closes ticket 34200.
Nick Mathewson's avatar
Nick Mathewson committed
878 879 880 881 882
    - Remove the now-redundant 'outbuf_flushlen' field from our
      connection type. It was previously used for an older version of
      our rate-limiting logic. Closes ticket 33097.
    - Rename "fascist_firewall_*" identifiers to "reachable_addr_*"
      instead, for consistency with other code. Closes ticket 18106.
883
    - Rename functions about "advertised" ports which are not in fact
884
      guaranteed to return the ports that have been advertised. Closes
885 886
      ticket 40055.
    - Split implementation of several command line options from
Nick Mathewson's avatar
Nick Mathewson committed
887 888 889 890 891 892
      options_init_from_torrc into smaller isolated functions. Patch by
      Daniel Pinto. Closes ticket 40102.
    - When an extend cell is missing an IPv4 or IPv6 address, fill in
      the address from the extend info. This is similar to what was done
      in ticket 33633 for ed25519 keys. Closes ticket 33816. Patch by
      Neel Chauhan.
893 894 895

  o Deprecated features:
    - The "non-builtin" argument to the "--dump-config" command is now
Nick Mathewson's avatar
Nick Mathewson committed
896
      deprecated. When it works, it behaves the same as "short", which
897 898
      you should use instead. Closes ticket 33398.

Nick Mathewson's avatar
Nick Mathewson committed
899 900 901 902 903 904 905 906 907 908 909 910 911
  o Documentation:
    - Replace URLs from our old bugtracker so that they refer to the new
      bugtracker and wiki. Closes ticket 40101.

  o Removed features:
    - We no longer ship or build a "tor.service" file for use with
      systemd. No distribution included this script unmodified, and we
      don't have the expertise ourselves to maintain this in a way that
      all the various systemd-based distributions can use. Closes
      ticket 30797.
    - We no longer ship support for the Android logging API. Modern
      versions of Android can use the syslog API instead. Closes
      ticket 32181.
912 913 914 915 916 917
    - The "optimistic data" feature is now always on; there is no longer
      an option to disable it from the torrc file or from the consensus
      directory. Closes part of 40139.
    - The "usecreatefast" network parameter is now removed; there is no
      longer an option for authorities to turn it off. Closes part
      of 40139.
Nick Mathewson's avatar
Nick Mathewson committed
918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938

  o Testing:
    - Add unit tests for bandwidth statistics manipulation functions.
      Closes ticket 33812. Patch by MrSquanchee.

  o Code simplification and refactoring (autoconf):
    - Remove autoconf checks for unused funcs and headers. Closes ticket
      31699; Patch by @bduszel

  o Code simplification and refactoring (maintainer scripts):
    - Disable by default the pre-commit hook. Use the environment
      variable TOR_EXTRA_PRE_COMMIT_CHECKS in order to run it.
      Furthermore, stop running practracker in the pre-commit hook and
      make check-local. Closes ticket 40019.

  o Code simplification and refactoring (relay address):
    - Most of IPv4 representation was using "uint32_t". It has now been
      moved to use the internal "tor_addr_t" interface instead. This is
      so we can properly integrate IPv6 along IPv4 with common
      interfaces. Closes ticket 40043.

939
  o Documentation (manual page):
940
    - Move them from doc/ to doc/man/. Closes ticket 40044.
Nick Mathewson's avatar
Nick Mathewson committed
941 942
    - Describe the status of the "Sandbox" option more accurately. It is
      no longer "experimental", but it _is_ dependent on kernel and libc
943 944 945 946 947 948 949
      versions. Closes ticket 23378.

  o Documentation (tracing):
    - Document in depth the circuit subsystem trace events in the new
      doc/tracing/EventsCircuit.md. Closes ticket 40036.


950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010
Changes in version 0.4.4.5 - 2020-09-15
  Tor 0.4.4.5 is the first stable release in the 0.4.4.x series. This
  series improves our guard selection algorithms, adds v3 onion balance
  support, improves the amount of code that can be disabled when running
  without relay support, and includes numerous small bugfixes and
  enhancements. It also lays the ground for some IPv6 features that
  we'll be developing more in the next (0.4.5) series.

  Per our support policy, we support each stable release series for nine
  months after its first stable release, or three months after the first
  stable release of the next series: whichever is longer. This means
  that 0.4.4.x will be supported until around June 2021--or later, if
  0.4.5.x is later than anticipated.

  Note also that support for 0.4.2.x has just ended; support for 0.4.3
  will continue until Feb 15, 2021. We still plan to continue supporting
  0.3.5.x, our long-term stable series, until Feb 2022.

  Below are the changes since 0.4.4.4-rc. For a complete list of changes
  since 0.4.3.6, see the ReleaseNotes file.

  o Major bugfixes (onion services, DoS):
    - Correct handling of parameters for the onion service DoS defense.
      Previously, the consensus parameters for the onion service DoS
      defenses were overwriting the parameters set by the service
      operator using HiddenServiceEnableIntroDoSDefense. Fixes bug
      40109; bugfix on 0.4.2.1-alpha.

  o Major bugfixes (stats, onion services):
    - Fix a bug where we were undercounting the Tor network's total
      onion service traffic, by ignoring any traffic originating from
      clients. Now we count traffic from both clients and services.
      Fixes bug 40117; bugfix on 0.2.6.2-alpha.

  o Minor features (control port):
    - If a ClientName was specified in ONION_CLIENT_AUTH_ADD for an
      onion service, display it when we use ONION_CLIENT_AUTH_VIEW.
      Closes ticket 40089. Patch by Neel Chauhan.

  o Minor features (denial-of-service memory limiter):
    - Allow the user to configure even lower values for the
      MaxMemInQueues parameter. Relays now enforce a minimum of 64 MB,
      when previously the minimum was 256 MB. On clients, there is no
      minimum. Relays and clients will both warn if the value is set so
      low that Tor is likely to stop working. Closes ticket 24308.

  o Minor features (tests):
    - Our "make check" target now runs the unit tests in 8 parallel
      chunks. Doing this speeds up hardened CI builds by more than a
      factor of two. Closes ticket 40098.

  o Minor bugfixes (guard selection algorithm):
    - Avoid needless guard-related warning when upgrading from 0.4.3 to
      0.4.4. Fixes bug 40105; bugfix on 0.4.4.1-alpha.

  o Minor bugfixes (tests):
    - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run
      on its own. Previously, it would exit with an error. Fixes bug
      40099; bugfix on 0.2.8.1-alpha.


1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061
Changes in version 0.4.4.3-alpha - 2020-07-27
  Tor 0.4.4.3-alpha fixes several annoyances in previous versions,
  including one affecting NSS users, and several affecting the Linux
  seccomp2 sandbox.

  o Major features (fallback directory list):
    - Replace the 148 fallback directories originally included in Tor
      0.4.1.4-rc (of which around 105 are still functional) with a list
      of 144 fallbacks generated in July 2020. Closes ticket 40061.

  o Major bugfixes (NSS):
    - When running with NSS enabled, make sure that NSS knows to expect
      nonblocking sockets. Previously, we set our TCP sockets as
      nonblocking, but did not tell NSS, which in turn could lead to
      unexpected blocking behavior. Fixes bug 40035; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (linux seccomp2 sandbox):
    - Fix a regression on sandboxing rules for the openat() syscall. The
      fix for bug 25440 fixed the problem on systems with glibc >= 2.27
      but broke with versions of glibc. We now choose a rule based on
      the glibc version. Patch from Daniel Pinto. Fixes bug 27315;
      bugfix on 0.3.5.11.
    - Makes the seccomp sandbox allow the correct syscall for opendir
      according to the running glibc version. This fixes crashes when
      reloading torrc with sandbox enabled when running on glibc 2.15 to
      2.21 and 2.26. Patch from Daniel Pinto. Fixes bug 40020; bugfix
      on 0.3.5.11.

  o Minor bugfixes (relay, usability):
    - Adjust the rules for when to warn about having too many
      connections to other relays. Previously we'd tolerate up to 1.5
      connections per relay on average. Now we tolerate more connections
      for directory authorities, and raise the number of total
      connections we need to see before we warn. Fixes bug 33880; bugfix
      on 0.3.1.1-alpha.

  o Documentation:
    - Replace most http:// URLs in our code and documentation with
      https:// URLs. (We have left unchanged the code in src/ext/, and
      the text in LICENSE.) Closes ticket 31812. Patch from Jeremy Rand.

  o Removed features:
    - Our "check-local" test target no longer tries to use the
      Coccinelle semantic patching tool parse all the C files. While it
      is a good idea to try to make sure Coccinelle works on our C
      before we run a Coccinelle patch, doing so on every test run has
      proven to be disruptive. You can still run this tool manually with
      "make check-cocci". Closes ticket 40030.


1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439
Changes in version 0.3.5.11 - 2020-07-09
  Tor 0.3.5.11 backports fixes from later tor releases, including several
  usability, portability, and reliability fixes.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Major bugfixes (DoS defenses, bridges, pluggable transport, backport from 0.4.3.4-rc):
    - Fix a bug that was preventing DoS defenses from running on bridges
      with a pluggable transport. Previously, the DoS subsystem was not
      given the transport name of the client connection, thus failed to
      find the GeoIP cache entry for that client address. Fixes bug
      33491; bugfix on 0.3.3.2-alpha.

  o Minor features (testing, backport from 0.4.3.4-rc):
    - The unit tests now support a "TOR_SKIP_TESTCASES" environment
      variable to specify a list of space-separated test cases that
      should not be executed. We will use this to disable certain tests
      that are failing on Appveyor because of mismatched OpenSSL
      libraries. Part of ticket 33643.

  o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfix (relay, configuration, backport from 0.4.3.3-alpha):
    - Warn if the ContactInfo field is not set, and tell the relay
      operator that not having a ContactInfo field set might cause their
      relay to get rejected in the future. Fixes bug 33361; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (compiler compatibility, backport from 0.4.3.5):
    - Avoid compiler warnings from Clang 10 related to the use of GCC-
      style "/* falls through */" comments. Both Clang and GCC allow
      __attribute__((fallthrough)) instead, so that's what we're using
      now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.

  o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (embedded Tor, backport from 0.4.3.1-alpha):
    - When starting Tor any time after the first time in a process,
      register the thread in which it is running as the main thread.
      Previously, we only did this on Windows, which could lead to bugs
      like 23081 on non-Windows platforms. Fixes bug 32884; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (key portability, backport from 0.4.3.4-rc):
    - When reading PEM-encoded key data, tolerate CRLF line-endings even
      if we are not running on Windows. Previously, non-Windows hosts
      would reject these line-endings in certain positions, making
      certain key files hard to move from one host to another. Fixes bug
      33032; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, client, backport from 0.4.3.3-alpha):
    - Remove a BUG() warning that would cause a stack trace if an onion
      service descriptor was freed while we were waiting for a
      rendezvous circuit to complete. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Testing (CI, backport from 0.4.3.4-rc):
    - In our Appveyor Windows CI, copy required DLLs to test and app
      directories, before running tor's tests. This ensures that tor.exe
      and test*.exe use the correct version of each DLL. This fix is not
      required, but we hope it will avoid DLL search issues in future.
      Fixes bug 33673; bugfix on 0.3.4.2-alpha.
    - On Appveyor, skip the crypto/openssl_version test, which is
      failing because of a mismatched library installation. Fix
      for 33643.


Changes in version 0.4.2.8 - 2020-07-09
  Tor 0.4.2.8 backports various fixes from later releases, including
  several that affect usability and portability.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Major bugfixes (DoS defenses, bridges, pluggable transport, backport from 0.4.3.4-rc):
    - Fix a bug that was preventing DoS defenses from running on bridges
      with a pluggable transport. Previously, the DoS subsystem was not
      given the transport name of the client connection, thus failed to
      find the GeoIP cache entry for that client address. Fixes bug
      33491; bugfix on 0.3.3.2-alpha.

  o Minor feature (sendme, flow control, backport form 0.4.3.4-rc):
    - Default to sending SENDME version 1 cells. (Clients are already
      sending these, because of a consensus parameter telling them to do
      so: this change only affects what clients would do if the
      consensus didn't contain a recommendation.) Closes ticket 33623.

  o Minor features (diagnostic, backport from 0.4.3.3-alpha):
    - Improve assertions and add some memory-poisoning code to try to
      track down possible causes of a rare crash (32564) in the EWMA
      code. Closes ticket 33290.

  o Minor features (testing, backport from 0.4.3.4-rc):
    - The unit tests now support a "TOR_SKIP_TESTCASES" environment
      variable to specify a list of space-separated test cases that
      should not be executed. We will use this to disable certain tests
      that are failing on Appveyor because of mismatched OpenSSL
      libraries. Part of ticket 33643.

  o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfix (relay, configuration, backport from 0.4.3.3-alpha):
    - Warn if the ContactInfo field is not set, and tell the relay
      operator that not having a ContactInfo field set might cause their
      relay to get rejected in the future. Fixes bug 33361; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (compiler compatibility, backport from 0.4.3.5):
    - Avoid compiler warnings from Clang 10 related to the use of GCC-
      style "/* falls through */" comments. Both Clang and GCC allow
      __attribute__((fallthrough)) instead, so that's what we're using
      now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.
    - Fix compilation warnings with GCC 10.0.1. Fixes bug 34077; bugfix
      on 0.4.0.3-alpha.

  o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (controller protocol, backport from 0.4.3.2-alpha):
    - When receiving "ACTIVE" or "DORMANT" signals on the control port,
      report them as SIGNAL events. Previously we would log a bug
      warning. Fixes bug 33104; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (embedded Tor, backport from 0.4.3.1-alpha):
    - When starting Tor any time after the first time in a process,
      register the thread in which it is running as the main thread.
      Previously, we only did this on Windows, which could lead to bugs
      like 23081 on non-Windows platforms. Fixes bug 32884; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (key portability, backport from 0.4.3.4-rc):
    - When reading PEM-encoded key data, tolerate CRLF line-endings even
      if we are not running on Windows. Previously, non-Windows hosts
      would reject these line-endings in certain positions, making
      certain key files hard to move from one host to another. Fixes bug
      33032; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.2-rc):
    - When logging a bug, do not say "Future instances of this warning
      will be silenced" unless we are actually going to silence them.
      Previously we would say this whenever a BUG() check failed in the
      code. Fixes bug 33095; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.4-rc):
    - Flush stderr, stdout, and file logs during shutdown, if supported
      by the OS. This change helps make sure that any final logs are
      recorded. Fixes bug 33087; bugfix on 0.4.1.6.

  o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, client, backport from 0.4.3.3-alpha):
    - Remove a BUG() warning that would cause a stack trace if an onion
      service descriptor was freed while we were waiting for a
      rendezvous circuit to complete. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Testing (CI, backport from 0.4.3.4-rc):
    - In our Appveyor Windows CI, copy required DLLs to test and app
      directories, before running tor's tests. This ensures that tor.exe
      and test*.exe use the correct version of each DLL. This fix is not
      required, but we hope it will avoid DLL search issues in future.
      Fixes bug 33673; bugfix on 0.3.4.2-alpha.
    - On Appveyor, skip the crypto/openssl_version test, which is
      failing because of a mismatched library installation. Fix
      for 33643.


Changes in version 0.4.3.6 - 2020-07-09
  Tor 0.4.3.6 backports several bugfixes from later releases, including
  some affecting usability.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (linux seccomp sandbox, nss, backport from 0.4.4.1-alpha):
    - Fix a startup crash when tor is compiled with --enable-nss and
      sandbox support is enabled. Fixes bug 34130; bugfix on
      0.3.5.1-alpha. Patch by Daniel Pinto.

  o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (manual page, backport from 0.4.4.1-alpha):
    - Update the man page to reflect that MinUptimeHidServDirectoryV2
      defaults to 96 hours. Fixes bug 34299; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, backport from 0.4.4.1-alpha):
    - Prevent an assert() that would occur when cleaning the client
      descriptor cache, and attempting to close circuits for a non-
      decrypted descriptor (lacking client authorization). Fixes bug
      33458; bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (portability, backport from 0.4.4.1-alpha):
    - Fix a portability error in the configure script, where we were
      using "==" instead of "=". Fixes bug 34233; bugfix on 0.4.3.5.

  o Minor bugfixes (relays, backport from 0.4.4.1-alpha):
    - Stop advertising incorrect IPv6 ORPorts in relay and bridge
      descriptors, when the IPv6 port was configured as "auto". Fixes
      bug 32588; bugfix on 0.2.3.9-alpha.

  o Documentation (backport from 0.4.4.1-alpha):
    - Fix several doxygen warnings related to imbalanced groups. Closes
      ticket 34255.


Changes in version 0.4.4.2-alpha - 2020-07-09
  This is the second alpha release in the 0.4.4.x series. It fixes a few
  bugs in the previous release, and solves a few usability,
  compatibility, and portability issues.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Minor features (bootstrap reporting):
    - Report more detailed reasons for bootstrap failure when the
      failure happens due to a TLS error. Previously we would just call
      these errors "MISC" when they happened during read, and "DONE"
      when they happened during any other TLS operation. Closes
      ticket 32622.

  o Minor features (directory authority):
    - Authorities now recommend the protocol versions that are supported
      by Tor 0.3.5 and later. (Earlier versions of Tor have been
      deprecated since January of this year.) This recommendation will
      cause older clients and relays to give a warning on startup, or
      when they download a consensus directory. Closes ticket 32696.

  o Minor features (entry guards):
    - Reinstate support for GUARD NEW/UP/DOWN control port events.
      Closes ticket 40001.

  o Minor features (linux seccomp2 sandbox, portability):
    - Allow Tor to build on platforms where it doesn't know how to
      report which syscall caused the linux seccomp2 sandbox to fail.
      This change should make the sandbox code more portable to less
      common Linux architectures. Closes ticket 34382.
    - Permit the unlinkat() syscall, which some Libc implementations use
      to implement unlink(). Closes ticket 33346.

  o Minor bugfix (CI, Windows):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfix (onion service v3 client):
    - Remove a BUG() warning that could occur naturally. Fixes bug
      34087; bugfix on 0.3.2.1-alpha.

  o Minor bugfix (SOCKS, onion service client):
    - Detect v3 onion service addresses of the wrong length when
      returning the F6 ExtendedErrors code. Fixes bug 33873; bugfix
      on 0.4.3.1-alpha.

  o Minor bugfixes (compiler warnings):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (control port, onion service):
    - Consistently use 'address' in "Invalid v3 address" response to
      ONION_CLIENT_AUTH commands. Previously, we would sometimes say
      'addr'. Fixes bug 40005; bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (logging):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion services v3):
    - Avoid a non-fatal assertion failure in certain edge-cases when
      opening an intro circuit as a client. Fixes bug 34084; bugfix
      on 0.3.2.1-alpha.

  o Deprecated features (onion service v2):
    - Add a deprecation warning for version 2 onion services. Closes
      ticket 40003.

  o Removed features (IPv6, revert):
    - Revert the change in the default value of ClientPreferIPv6OrPort:
      it breaks the torsocks use case. The SOCKS resolve command has no
      mechanism to ask for a specific address family (v4 or v6), and so
      prioritizing IPv6 when an IPv4 address is requested on the SOCKS
      interface resulted in a failure. Tor Browser explicitly sets
      PreferIPv6, so this should not affect the majority of our users.
      Closes ticket 33796; bugfix on 0.4.4.1-alpha.


1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643