From 172d5107942d20a9468a13b9d25ead47eb9dbc1c Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Tue, 26 Oct 2021 04:50:59 -0400 Subject: [PATCH] sort recent changelog stanzas by release date --- ChangeLog | 354 ++++++++++++++++----------------- ReleaseNotes | 546 +++++++++++++++++++++++++-------------------------- 2 files changed, 450 insertions(+), 450 deletions(-) diff --git a/ChangeLog b/ChangeLog index a061775812..d1bc48dc0c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -150,6 +150,183 @@ Changes in version 0.4.7.2-alpha - 2021-10-26 ticket 40485. +Changes in version 0.4.6.8 - 2021-10-26 + This version fixes several bugs from earlier versions of Tor. One + highlight is a fix on how we track DNS timeouts to report general + relay overload. + + o Major bugfixes (relay, overload state): + - Relays report the general overload state for DNS timeout errors + only if X% of all DNS queries over Y seconds are errors. Before + that, it only took 1 timeout to report the overload state which + was just too low of a threshold. The X and Y values are 1% and 10 + minutes respectively but they are also controlled by consensus + parameters. Fixes bug 40491; bugfix on 0.4.6.1-alpha. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor features (testing): + - On a testing network, relays can now use the + TestingMinTimeToReportBandwidth option to change the smallest + amount of time over which they're willing to report their observed + maximum bandwidth. Previously, this was fixed at 1 day. For + safety, values under 2 hours are only supported on testing + networks. Part of a fix for ticket 40337. + - Relays on testing networks no longer rate-limit how frequently + they are willing to report new bandwidth measurements. Part of a + fix for ticket 40337. + - Relays on testing networks now report their observed bandwidths + immediately from startup. Previously, they waited until they had + been running for a full day. Closes ticket 40337. + + o Minor bugfix (onion service): + - Do not flag an HSDir as non-running in case the descriptor upload + or fetch fails. An onion service closes pending directory + connections before uploading a new descriptor which can thus lead + to wrongly flagging many relays and thus affecting circuit building + path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha. + - Improve logging when a bad HS version is given. Fixes bug 40476; + bugfix on 0.4.6.1-alpha. + + o Minor bugfix (CI, onion service): + - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; + bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (compatibility): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + o Minor bugfixes (onion service, TROVE-2021-008): + - Only log v2 access attempts once total, in order to not pollute + the logs with warnings and to avoid recording the times on disk + when v2 access was attempted. Note that the onion address was + _never_ logged. This counts as a Low-severity security issue. + Fixes bug 40474; bugfix on 0.4.5.8. + + +Changes in version 0.4.5.11 - 2021-10-26 + The major change in this version is that v2 onion services are now + disabled at the client, service, and relay: any Tor nodes running this + version and onward will stop supporting v2 onion services. This is the + last step in the long deprecation process of v2 onion services. + Everyone running an earlier version, whether as a client, a relay, or + an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, + or 0.4.6.8. + + o Major feature (onion service v2): + - See https://blog.torproject.org/v2-deprecation-timeline for + details on how to transition from v2 to v3. + - The control port commands HSFETCH and HSPOST no longer allow + version 2, and it is no longer possible to create a v2 service + with ADD_ONION. + - Tor no longer allows creating v2 services, or connecting as a + client to a v2 service. Relays will decline to be a v2 HSDir or + introduction point. This effectively disables onion service + version 2 Tor-wide. Closes ticket 40476. + + o Minor features (bridge, backport from 0.4.6.8): + - We now announce the URL to Tor's new bridge status at + https://bridges.torproject.org/ when Tor is configured to run as a + bridge relay. Closes ticket 30477. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor features (logging, diagnostic, backport from 0.4.6.5): + - Log decompression failures at a higher severity level, since they + can help provide missing context for other warning messages. We + rate-limit these messages, to avoid flooding the logs if they + begin to occur frequently. Closes ticket 40175. + + o Minor features (testing, backport from 0.4.6.8): + - On a testing network, relays can now use the + TestingMinTimeToReportBandwidth option to change the smallest + amount of time over which they're willing to report their observed + maximum bandwidth. Previously, this was fixed at 1 day. For + safety, values under 2 hours are only supported on testing + networks. Part of a fix for ticket 40337. + - Relays on testing networks no longer rate-limit how frequently + they are willing to report new bandwidth measurements. Part of a + fix for ticket 40337. + - Relays on testing networks now report their observed bandwidths + immediately from startup. Previously, they waited until they had + been running for a full day. Closes ticket 40337. + + o Minor bugfix (CI, onion service): + - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; + bugfix on 0.3.2.1-alpha. + + o Minor bugfix (onion service, backport from 0.4.6.8): + - Do not flag an HSDir as non-running in case the descriptor upload + or fetch fails. An onion service closes pending directory + connections before uploading a new descriptor which can thus lead + to wrongly flagging many relays and thus affecting circuit building + path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha. + + o Minor bugfixes (compatibility, backport from 0.4.6.8): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + o Minor bugfixes (consensus handling, backport from 0.4.6.4-rc): + - Avoid a set of bugs that could be caused by inconsistently + preferring an out-of-date consensus stored in a stale directory + cache over a more recent one stored on disk as the latest + consensus. Fixes bug 40375; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (onion service, TROVE-2021-008, backport from 0.4.6.8): + - Only log v2 access attempts once total, in order to not pollute + the logs with warnings and to avoid recording the times on disk + when v2 access was attempted. Note that the onion address was + _never_ logged. This counts as a Low-severity security issue. + Fixes bug 40474; bugfix on 0.4.5.8. + + +Changes in version 0.3.5.17 - 2021-10-26 + The major change in this version is that v2 onion services are now + disabled at the client, service, and relay: any Tor nodes running this + version and onward will stop supporting v2 onion services. This is the + last step in the long deprecation process of v2 onion services. + Everyone running an earlier version, whether as a client, a relay, or + an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, + or 0.4.6.8. + + o Major feature (onion service v2, backport from 0.4.5.11): + - See https://blog.torproject.org/v2-deprecation-timeline for + details on how to transition from v2 to v3. + - The control port commands HSFETCH and HSPOST no longer allow + version 2, and it is no longer possible to create a v2 service + with ADD_ONION. + - Tor no longer allows creating v2 services, or connecting as a + client to a v2 service. Relays will decline to be a v2 HSDir or + introduction point. This effectively disables onion service + version 2 Tor-wide. Closes ticket 40476. + + o Minor features (bridge, backport from 0.4.6.8): + - We now announce the URL to Tor's new bridge status at + https://bridges.torproject.org/ when Tor is configured to run as a + bridge relay. Closes ticket 30477. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor bugfixes (compatibility, backport from 0.4.6.8): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + Changes in version 0.4.7.1-alpha - 2021-09-17 This version is the first alpha release of the 0.4.7.x series. One major feature is Vanguards Lite, from proposal 333, to help mitigate @@ -244,65 +421,6 @@ Changes in version 0.4.7.1-alpha - 2021-09-17 Fixes bug 40467; bugfix on 0.4.3.1-alpha. Patch by Neel Chauhan. -Changes in version 0.4.6.8 - 2021-10-26 - This version fixes several bugs from earlier versions of Tor. One - highlight is a fix on how we track DNS timeouts to report general - relay overload. - - o Major bugfixes (relay, overload state): - - Relays report the general overload state for DNS timeout errors - only if X% of all DNS queries over Y seconds are errors. Before - that, it only took 1 timeout to report the overload state which - was just too low of a threshold. The X and Y values are 1% and 10 - minutes respectively but they are also controlled by consensus - parameters. Fixes bug 40491; bugfix on 0.4.6.1-alpha. - - o Minor features (fallbackdir): - - Regenerate fallback directories for October 2021. Closes - ticket 40493. - - o Minor features (testing): - - On a testing network, relays can now use the - TestingMinTimeToReportBandwidth option to change the smallest - amount of time over which they're willing to report their observed - maximum bandwidth. Previously, this was fixed at 1 day. For - safety, values under 2 hours are only supported on testing - networks. Part of a fix for ticket 40337. - - Relays on testing networks no longer rate-limit how frequently - they are willing to report new bandwidth measurements. Part of a - fix for ticket 40337. - - Relays on testing networks now report their observed bandwidths - immediately from startup. Previously, they waited until they had - been running for a full day. Closes ticket 40337. - - o Minor bugfix (onion service): - - Do not flag an HSDir as non-running in case the descriptor upload - or fetch fails. An onion service closes pending directory - connections before uploading a new descriptor which can thus lead - to wrongly flagging many relays and thus affecting circuit building - path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha. - - Improve logging when a bad HS version is given. Fixes bug 40476; - bugfix on 0.4.6.1-alpha. - - o Minor bugfix (CI, onion service): - - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; - bugfix on 0.3.2.1-alpha. - - o Minor bugfixes (compatibility): - - Fix compatibility with the most recent Libevent versions, which no - longer have an evdns_set_random_bytes() function. Because this - function has been a no-op since Libevent 2.0.4-alpha, it is safe - for us to just stop calling it. Fixes bug 40371; bugfix - on 0.2.1.7-alpha. - - o Minor bugfixes (onion service, TROVE-2021-008): - - Only log v2 access attempts once total, in order to not pollute - the logs with warnings and to avoid recording the times on disk - when v2 access was attempted. Note that the onion address was - _never_ logged. This counts as a Low-severity security issue. - Fixes bug 40474; bugfix on 0.4.5.8. - - Changes in version 0.4.6.7 - 2021-08-16 This version fixes several bugs from earlier versions of Tor, including one that could lead to a denial-of-service attack. Everyone @@ -349,87 +467,6 @@ Changes in version 0.4.6.7 - 2021-08-16 schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha. -Changes in version 0.4.5.11 - 2021-10-26 - The major change in this version is that v2 onion services are now - disabled at the client, service, and relay: any Tor nodes running this - version and onward will stop supporting v2 onion services. This is the - last step in the long deprecation process of v2 onion services. - Everyone running an earlier version, whether as a client, a relay, or - an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, - or 0.4.6.8. - - o Major feature (onion service v2): - - See https://blog.torproject.org/v2-deprecation-timeline for - details on how to transition from v2 to v3. - - The control port commands HSFETCH and HSPOST no longer allow - version 2, and it is no longer possible to create a v2 service - with ADD_ONION. - - Tor no longer allows creating v2 services, or connecting as a - client to a v2 service. Relays will decline to be a v2 HSDir or - introduction point. This effectively disables onion service - version 2 Tor-wide. Closes ticket 40476. - - o Minor features (bridge, backport from 0.4.6.8): - - We now announce the URL to Tor's new bridge status at - https://bridges.torproject.org/ when Tor is configured to run as a - bridge relay. Closes ticket 30477. - - o Minor features (fallbackdir): - - Regenerate fallback directories for October 2021. Closes - ticket 40493. - - o Minor features (logging, diagnostic, backport from 0.4.6.5): - - Log decompression failures at a higher severity level, since they - can help provide missing context for other warning messages. We - rate-limit these messages, to avoid flooding the logs if they - begin to occur frequently. Closes ticket 40175. - - o Minor features (testing, backport from 0.4.6.8): - - On a testing network, relays can now use the - TestingMinTimeToReportBandwidth option to change the smallest - amount of time over which they're willing to report their observed - maximum bandwidth. Previously, this was fixed at 1 day. For - safety, values under 2 hours are only supported on testing - networks. Part of a fix for ticket 40337. - - Relays on testing networks no longer rate-limit how frequently - they are willing to report new bandwidth measurements. Part of a - fix for ticket 40337. - - Relays on testing networks now report their observed bandwidths - immediately from startup. Previously, they waited until they had - been running for a full day. Closes ticket 40337. - - o Minor bugfix (CI, onion service): - - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; - bugfix on 0.3.2.1-alpha. - - o Minor bugfix (onion service, backport from 0.4.6.8): - - Do not flag an HSDir as non-running in case the descriptor upload - or fetch fails. An onion service closes pending directory - connections before uploading a new descriptor which can thus lead - to wrongly flagging many relays and thus affecting circuit building - path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha. - - o Minor bugfixes (compatibility, backport from 0.4.6.8): - - Fix compatibility with the most recent Libevent versions, which no - longer have an evdns_set_random_bytes() function. Because this - function has been a no-op since Libevent 2.0.4-alpha, it is safe - for us to just stop calling it. Fixes bug 40371; bugfix - on 0.2.1.7-alpha. - - o Minor bugfixes (consensus handling, backport from 0.4.6.4-rc): - - Avoid a set of bugs that could be caused by inconsistently - preferring an out-of-date consensus stored in a stale directory - cache over a more recent one stored on disk as the latest - consensus. Fixes bug 40375; bugfix on 0.3.1.1-alpha. - - o Minor bugfixes (onion service, TROVE-2021-008, backport from 0.4.6.8): - - Only log v2 access attempts once total, in order to not pollute - the logs with warnings and to avoid recording the times on disk - when v2 access was attempted. Note that the onion address was - _never_ logged. This counts as a Low-severity security issue. - Fixes bug 40474; bugfix on 0.4.5.8. - - Changes in version 0.4.5.10 - 2021-08-16 This version fixes several bugs from earlier versions of Tor, including one that could lead to a denial-of-service attack. Everyone @@ -479,43 +516,6 @@ Changes in version 0.4.5.10 - 2021-08-16 versions of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha. -Changes in version 0.3.5.17 - 2021-10-26 - The major change in this version is that v2 onion services are now - disabled at the client, service, and relay: any Tor nodes running this - version and onward will stop supporting v2 onion services. This is the - last step in the long deprecation process of v2 onion services. - Everyone running an earlier version, whether as a client, a relay, or - an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, - or 0.4.6.8. - - o Major feature (onion service v2, backport from 0.4.5.11): - - See https://blog.torproject.org/v2-deprecation-timeline for - details on how to transition from v2 to v3. - - The control port commands HSFETCH and HSPOST no longer allow - version 2, and it is no longer possible to create a v2 service - with ADD_ONION. - - Tor no longer allows creating v2 services, or connecting as a - client to a v2 service. Relays will decline to be a v2 HSDir or - introduction point. This effectively disables onion service - version 2 Tor-wide. Closes ticket 40476. - - o Minor features (bridge, backport from 0.4.6.8): - - We now announce the URL to Tor's new bridge status at - https://bridges.torproject.org/ when Tor is configured to run as a - bridge relay. Closes ticket 30477. - - o Minor features (fallbackdir): - - Regenerate fallback directories for October 2021. Closes - ticket 40493. - - o Minor bugfixes (compatibility, backport from 0.4.6.8): - - Fix compatibility with the most recent Libevent versions, which no - longer have an evdns_set_random_bytes() function. Because this - function has been a no-op since Libevent 2.0.4-alpha, it is safe - for us to just stop calling it. Fixes bug 40371; bugfix - on 0.2.1.7-alpha. - - Changes in version 0.3.5.16 - 2021-08-16 This version fixes several bugs from earlier versions of Tor, including one that could lead to a denial-of-service attack. Everyone diff --git a/ReleaseNotes b/ReleaseNotes index 73c351fa83..8401162ebe 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -61,54 +61,6 @@ Changes in version 0.4.6.8 - 2021-10-26 Fixes bug 40474; bugfix on 0.4.5.8. -Changes in version 0.4.6.7 - 2021-08-16 - This version fixes several bugs from earlier versions of Tor, including one - that could lead to a denial-of-service attack. Everyone running an earlier - version, whether as a client, a relay, or an onion service, should upgrade - to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7. - - o Major bugfixes (cryptography, security): - - Resolve an assertion failure caused by a behavior mismatch between our - batch-signature verification code and our single-signature verification - code. This assertion failure could be triggered remotely, leading to a - denial of service attack. We fix this issue by disabling batch - verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is - also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de - Valence. - - o Minor feature (fallbackdir): - - Regenerate fallback directories list. Close ticket 40447. - - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2021/08/12. - - o Minor bugfix (crypto): - - Disable the unused batch verification feature of ed25519-donna. Fixes - bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence. - - o Minor bugfixes (onion service): - - Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) - for a v2 onion address. Fixes bug 40421; bugfix on 0.4.6.2-alpha. - - o Minor bugfix (CI, onion service): - - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; - bugfix on 0.3.2.1-alpha. - - o Minor bugfixes (relay): - - Reduce the compression level for data streaming from HIGH to LOW in - order to reduce CPU load on the directory relays. Fixes bug 40301; - bugfix on 0.3.5.1-alpha. - - o Minor bugfixes (timekeeping): - - Calculate the time of day correctly on systems where the time_t - type includes leap seconds. (This is not the case on most - operating systems, but on those where it occurs, our tor_timegm - function did not correctly invert the system's gmtime function, - which could result in assertion failures when calculating - voting schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha. - - Changes in version 0.4.5.11 - 2021-10-26 The major change in this version is that v2 onion services are now disabled at the client, service, and relay: any Tor nodes running this @@ -190,6 +142,91 @@ Changes in version 0.4.5.11 - 2021-10-26 Fixes bug 40474; bugfix on 0.4.5.8. +Changes in version 0.3.5.17 - 2021-10-26 + The major change in this version is that v2 onion services are now + disabled at the client, service, and relay: any Tor nodes running this + version and onward will stop supporting v2 onion services. This is the + last step in the long deprecation process of v2 onion services. + Everyone running an earlier version, whether as a client, a relay, or + an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, + or 0.4.6.8. + + o Major feature (onion service v2, backport from 0.4.5.11): + - See https://blog.torproject.org/v2-deprecation-timeline for + details on how to transition from v2 to v3. + - The control port commands HSFETCH and HSPOST no longer allow + version 2, and it is no longer possible to create a v2 service + with ADD_ONION. + - Tor no longer allows creating v2 services, or connecting as a + client to a v2 service. Relays will decline to be a v2 HSDir or + introduction point. This effectively disables onion service + version 2 Tor-wide. Closes ticket 40476. + + o Minor features (bridge, backport from 0.4.6.8): + - We now announce the URL to Tor's new bridge status at + https://bridges.torproject.org/ when Tor is configured to run as a + bridge relay. Closes ticket 30477. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor bugfixes (compatibility, backport from 0.4.6.8): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + +Changes in version 0.4.6.7 - 2021-08-16 + This version fixes several bugs from earlier versions of Tor, including one + that could lead to a denial-of-service attack. Everyone running an earlier + version, whether as a client, a relay, or an onion service, should upgrade + to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7. + + o Major bugfixes (cryptography, security): + - Resolve an assertion failure caused by a behavior mismatch between our + batch-signature verification code and our single-signature verification + code. This assertion failure could be triggered remotely, leading to a + denial of service attack. We fix this issue by disabling batch + verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is + also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de + Valence. + + o Minor feature (fallbackdir): + - Regenerate fallback directories list. Close ticket 40447. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, + as retrieved on 2021/08/12. + + o Minor bugfix (crypto): + - Disable the unused batch verification feature of ed25519-donna. Fixes + bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence. + + o Minor bugfixes (onion service): + - Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) + for a v2 onion address. Fixes bug 40421; bugfix on 0.4.6.2-alpha. + + o Minor bugfix (CI, onion service): + - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; + bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (relay): + - Reduce the compression level for data streaming from HIGH to LOW in + order to reduce CPU load on the directory relays. Fixes bug 40301; + bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (timekeeping): + - Calculate the time of day correctly on systems where the time_t + type includes leap seconds. (This is not the case on most + operating systems, but on those where it occurs, our tor_timegm + function did not correctly invert the system's gmtime function, + which could result in assertion failures when calculating + voting schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha. + + Changes in version 0.4.5.10 - 2021-08-16 This version fixes several bugs from earlier versions of Tor, including one that could lead to a denial-of-service attack. Everyone running an earlier @@ -237,43 +274,6 @@ Changes in version 0.4.5.10 - 2021-08-16 of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha. -Changes in version 0.3.5.17 - 2021-10-26 - The major change in this version is that v2 onion services are now - disabled at the client, service, and relay: any Tor nodes running this - version and onward will stop supporting v2 onion services. This is the - last step in the long deprecation process of v2 onion services. - Everyone running an earlier version, whether as a client, a relay, or - an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, - or 0.4.6.8. - - o Major feature (onion service v2, backport from 0.4.5.11): - - See https://blog.torproject.org/v2-deprecation-timeline for - details on how to transition from v2 to v3. - - The control port commands HSFETCH and HSPOST no longer allow - version 2, and it is no longer possible to create a v2 service - with ADD_ONION. - - Tor no longer allows creating v2 services, or connecting as a - client to a v2 service. Relays will decline to be a v2 HSDir or - introduction point. This effectively disables onion service - version 2 Tor-wide. Closes ticket 40476. - - o Minor features (bridge, backport from 0.4.6.8): - - We now announce the URL to Tor's new bridge status at - https://bridges.torproject.org/ when Tor is configured to run as a - bridge relay. Closes ticket 30477. - - o Minor features (fallbackdir): - - Regenerate fallback directories for October 2021. Closes - ticket 40493. - - o Minor bugfixes (compatibility, backport from 0.4.6.8): - - Fix compatibility with the most recent Libevent versions, which no - longer have an evdns_set_random_bytes() function. Because this - function has been a no-op since Libevent 2.0.4-alpha, it is safe - for us to just stop calling it. Fixes bug 40371; bugfix - on 0.2.1.7-alpha. - - Changes in version 0.3.5.16 - 2021-08-16 This version fixes several bugs from earlier versions of Tor, including one that could lead to a denial-of-service attack. Everyone running an earlier @@ -324,194 +324,6 @@ Changes in version 0.4.6.6 - 2021-06-30 on 0.3.3.2-alpha. -Changes in version 0.4.5.9 - 2021-06-14 - Tor 0.4.5.9 fixes several security issues, including a - denial-of-service attack against onion service clients, and another - denial-of-service attack against relays. Everybody should upgrade to - one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. - - o Major bugfixes (security, backport from 0.4.6.5): - - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on - half-closed streams. Previously, clients failed to validate which - hop sent these cells: this would allow a relay on a circuit to end - a stream that wasn't actually built with it. Fixes bug 40389; - bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- - 003 and CVE-2021-34548. - - o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): - - Detect more failure conditions from the OpenSSL RNG code. - Previously, we would detect errors from a missing RNG - implementation, but not failures from the RNG code itself. - Fortunately, it appears those failures do not happen in practice - when Tor is using OpenSSL's default RNG implementation. Fixes bug - 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as - TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. - - o Major bugfixes (security, denial of service, backport from 0.4.6.5): - - Resist a hashtable-based CPU denial-of-service attack against - relays. Previously we used a naive unkeyed hash function to look - up circuits in a circuitmux object. An attacker could exploit this - to construct circuits with chosen circuit IDs, to create - collisions and make the hash table inefficient. Now we use a - SipHash construction here instead. Fixes bug 40391; bugfix on - 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and - CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. - - Fix an out-of-bounds memory access in v3 onion service descriptor - parsing. An attacker could exploit this bug by crafting an onion - service descriptor that would crash any client that tried to visit - it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also - tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei - Glazunov from Google's Project Zero. - - o Minor features (compatibility, backport from 0.4.6.4-rc): - - Remove an assertion function related to TLS renegotiation. It was - used nowhere outside the unit tests, and it was breaking - compilation with recent alpha releases of OpenSSL 3.0.0. Closes - ticket 40399. - - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, as - retrieved on 2021/06/10. - - o Minor bugfixes (control, sandbox, backport from 0.4.6.4-rc): - - Allow the control command SAVECONF to succeed when the seccomp - sandbox is enabled, and make SAVECONF keep only one backup file to - simplify implementation. Previously SAVECONF allowed a large - number of backup files, which made it incompatible with the - sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by - Daniel Pinto. - - o Minor bugfixes (metrics port, backport from 0.4.6.4-rc): - - Fix a bug that made tor try to re-bind() on an already open - MetricsPort every 60 seconds. Fixes bug 40370; bugfix - on 0.4.5.1-alpha. - - -Changes in version 0.4.4.9 - 2021-06-14 - Tor 0.4.4.9 fixes several security issues, including a - denial-of-service attack against onion service clients, and another - denial-of-service attack against relays. Everybody should upgrade to - one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. - - Note that the scheduled end-of-life date for the Tor 0.4.4.x series is - June 15. This is therefore the last release in its series. Everybody - still running 0.4.4.x should plan to upgrade to 0.4.5.x or later. - - o Major bugfixes (security, backport from 0.4.6.5): - - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on - half-closed streams. Previously, clients failed to validate which - hop sent these cells: this would allow a relay on a circuit to end - a stream that wasn't actually built with it. Fixes bug 40389; - bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- - 003 and CVE-2021-34548. - - o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): - - Detect more failure conditions from the OpenSSL RNG code. - Previously, we would detect errors from a missing RNG - implementation, but not failures from the RNG code itself. - Fortunately, it appears those failures do not happen in practice - when Tor is using OpenSSL's default RNG implementation. Fixes bug - 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as - TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. - - o Major bugfixes (security, denial of service, backport from 0.4.6.5): - - Resist a hashtable-based CPU denial-of-service attack against - relays. Previously we used a naive unkeyed hash function to look - up circuits in a circuitmux object. An attacker could exploit this - to construct circuits with chosen circuit IDs, to create - collisions and make the hash table inefficient. Now we use a - SipHash construction here instead. Fixes bug 40391; bugfix on - 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and - CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. - - Fix an out-of-bounds memory access in v3 onion service descriptor - parsing. An attacker could exploit this bug by crafting an onion - service descriptor that would crash any client that tried to visit - it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also - tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei - Glazunov from Google's Project Zero. - - o Minor features (compatibility, backport from 0.4.6.4-rc): - - Remove an assertion function related to TLS renegotiation. It was - used nowhere outside the unit tests, and it was breaking - compilation with recent alpha releases of OpenSSL 3.0.0. Closes - ticket 40399. - - o Minor features (fallback directory list, backport from 0.4.6.2-alpha): - - Regenerate the list of fallback directories to contain a new set - of 200 relays. Closes ticket 40265. - - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, as - retrieved on 2021/06/10. - - o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha): - - Fix a non-fatal BUG() message due to a too-early free of a string, - when listing a client connection from the DoS defenses subsystem. - Fixes bug 40345; bugfix on 0.4.3.4-rc. - - o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): - - Fix an indentation problem that led to a warning from GCC 11.1.1. - Fixes bug 40380; bugfix on 0.3.0.1-alpha. - - -Changes in version 0.3.5.15 - 2021-06-14 - Tor 0.3.5.15 fixes several security issues, including a - denial-of-service attack against onion service clients, and another - denial-of-service attack against relays. Everybody should upgrade to - one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. - - o Major bugfixes (security, backport from 0.4.6.5): - - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on - half-closed streams. Previously, clients failed to validate which - hop sent these cells: this would allow a relay on a circuit to end - a stream that wasn't actually built with it. Fixes bug 40389; - bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- - 003 and CVE-2021-34548. - - o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): - - Detect more failure conditions from the OpenSSL RNG code. - Previously, we would detect errors from a missing RNG - implementation, but not failures from the RNG code itself. - Fortunately, it appears those failures do not happen in practice - when Tor is using OpenSSL's default RNG implementation. Fixes bug - 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as - TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. - - o Major bugfixes (security, denial of service, backport from 0.4.6.5): - - Resist a hashtable-based CPU denial-of-service attack against - relays. Previously we used a naive unkeyed hash function to look - up circuits in a circuitmux object. An attacker could exploit this - to construct circuits with chosen circuit IDs, to create - collisions and make the hash table inefficient. Now we use a - SipHash construction here instead. Fixes bug 40391; bugfix on - 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and - CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. - - Fix an out-of-bounds memory access in v3 onion service descriptor - parsing. An attacker could exploit this bug by crafting an onion - service descriptor that would crash any client that tried to visit - it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also - tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei - Glazunov from Google's Project Zero. - - o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): - - Fix an indentation problem that led to a warning from GCC 11.1.1. - Fixes bug 40380; bugfix on 0.3.0.1-alpha. - - o Minor features (compatibility, backport from 0.4.6.4-rc): - - Remove an assertion function related to TLS renegotiation. It was - used nowhere outside the unit tests, and it was breaking - compilation with recent alpha releases of OpenSSL 3.0.0. Closes - ticket 40399. - - o Minor features (fallback directory list, backport from 0.4.6.2-alpha): - - Regenerate the list of fallback directories to contain a new set - of 200 relays. Closes ticket 40265. - - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, as - retrieved on 2021/06/10. - - Changes in version 0.4.6.5 - 2021-06-14 Tor 0.4.6.5 is the first stable release in its series. The 0.4.6.x series includes numerous features and bugfixes, including a significant @@ -822,6 +634,194 @@ Changes in version 0.4.6.5 - 2021-06-14 for now.) Closes ticket 40282. +Changes in version 0.4.5.9 - 2021-06-14 + Tor 0.4.5.9 fixes several security issues, including a + denial-of-service attack against onion service clients, and another + denial-of-service attack against relays. Everybody should upgrade to + one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. + + o Major bugfixes (security, backport from 0.4.6.5): + - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on + half-closed streams. Previously, clients failed to validate which + hop sent these cells: this would allow a relay on a circuit to end + a stream that wasn't actually built with it. Fixes bug 40389; + bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- + 003 and CVE-2021-34548. + + o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): + - Detect more failure conditions from the OpenSSL RNG code. + Previously, we would detect errors from a missing RNG + implementation, but not failures from the RNG code itself. + Fortunately, it appears those failures do not happen in practice + when Tor is using OpenSSL's default RNG implementation. Fixes bug + 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as + TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. + + o Major bugfixes (security, denial of service, backport from 0.4.6.5): + - Resist a hashtable-based CPU denial-of-service attack against + relays. Previously we used a naive unkeyed hash function to look + up circuits in a circuitmux object. An attacker could exploit this + to construct circuits with chosen circuit IDs, to create + collisions and make the hash table inefficient. Now we use a + SipHash construction here instead. Fixes bug 40391; bugfix on + 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and + CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. + - Fix an out-of-bounds memory access in v3 onion service descriptor + parsing. An attacker could exploit this bug by crafting an onion + service descriptor that would crash any client that tried to visit + it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also + tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei + Glazunov from Google's Project Zero. + + o Minor features (compatibility, backport from 0.4.6.4-rc): + - Remove an assertion function related to TLS renegotiation. It was + used nowhere outside the unit tests, and it was breaking + compilation with recent alpha releases of OpenSSL 3.0.0. Closes + ticket 40399. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/06/10. + + o Minor bugfixes (control, sandbox, backport from 0.4.6.4-rc): + - Allow the control command SAVECONF to succeed when the seccomp + sandbox is enabled, and make SAVECONF keep only one backup file to + simplify implementation. Previously SAVECONF allowed a large + number of backup files, which made it incompatible with the + sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by + Daniel Pinto. + + o Minor bugfixes (metrics port, backport from 0.4.6.4-rc): + - Fix a bug that made tor try to re-bind() on an already open + MetricsPort every 60 seconds. Fixes bug 40370; bugfix + on 0.4.5.1-alpha. + + +Changes in version 0.4.4.9 - 2021-06-14 + Tor 0.4.4.9 fixes several security issues, including a + denial-of-service attack against onion service clients, and another + denial-of-service attack against relays. Everybody should upgrade to + one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. + + Note that the scheduled end-of-life date for the Tor 0.4.4.x series is + June 15. This is therefore the last release in its series. Everybody + still running 0.4.4.x should plan to upgrade to 0.4.5.x or later. + + o Major bugfixes (security, backport from 0.4.6.5): + - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on + half-closed streams. Previously, clients failed to validate which + hop sent these cells: this would allow a relay on a circuit to end + a stream that wasn't actually built with it. Fixes bug 40389; + bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- + 003 and CVE-2021-34548. + + o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): + - Detect more failure conditions from the OpenSSL RNG code. + Previously, we would detect errors from a missing RNG + implementation, but not failures from the RNG code itself. + Fortunately, it appears those failures do not happen in practice + when Tor is using OpenSSL's default RNG implementation. Fixes bug + 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as + TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. + + o Major bugfixes (security, denial of service, backport from 0.4.6.5): + - Resist a hashtable-based CPU denial-of-service attack against + relays. Previously we used a naive unkeyed hash function to look + up circuits in a circuitmux object. An attacker could exploit this + to construct circuits with chosen circuit IDs, to create + collisions and make the hash table inefficient. Now we use a + SipHash construction here instead. Fixes bug 40391; bugfix on + 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and + CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. + - Fix an out-of-bounds memory access in v3 onion service descriptor + parsing. An attacker could exploit this bug by crafting an onion + service descriptor that would crash any client that tried to visit + it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also + tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei + Glazunov from Google's Project Zero. + + o Minor features (compatibility, backport from 0.4.6.4-rc): + - Remove an assertion function related to TLS renegotiation. It was + used nowhere outside the unit tests, and it was breaking + compilation with recent alpha releases of OpenSSL 3.0.0. Closes + ticket 40399. + + o Minor features (fallback directory list, backport from 0.4.6.2-alpha): + - Regenerate the list of fallback directories to contain a new set + of 200 relays. Closes ticket 40265. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/06/10. + + o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha): + - Fix a non-fatal BUG() message due to a too-early free of a string, + when listing a client connection from the DoS defenses subsystem. + Fixes bug 40345; bugfix on 0.4.3.4-rc. + + o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): + - Fix an indentation problem that led to a warning from GCC 11.1.1. + Fixes bug 40380; bugfix on 0.3.0.1-alpha. + + +Changes in version 0.3.5.15 - 2021-06-14 + Tor 0.3.5.15 fixes several security issues, including a + denial-of-service attack against onion service clients, and another + denial-of-service attack against relays. Everybody should upgrade to + one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. + + o Major bugfixes (security, backport from 0.4.6.5): + - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on + half-closed streams. Previously, clients failed to validate which + hop sent these cells: this would allow a relay on a circuit to end + a stream that wasn't actually built with it. Fixes bug 40389; + bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- + 003 and CVE-2021-34548. + + o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): + - Detect more failure conditions from the OpenSSL RNG code. + Previously, we would detect errors from a missing RNG + implementation, but not failures from the RNG code itself. + Fortunately, it appears those failures do not happen in practice + when Tor is using OpenSSL's default RNG implementation. Fixes bug + 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as + TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. + + o Major bugfixes (security, denial of service, backport from 0.4.6.5): + - Resist a hashtable-based CPU denial-of-service attack against + relays. Previously we used a naive unkeyed hash function to look + up circuits in a circuitmux object. An attacker could exploit this + to construct circuits with chosen circuit IDs, to create + collisions and make the hash table inefficient. Now we use a + SipHash construction here instead. Fixes bug 40391; bugfix on + 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and + CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. + - Fix an out-of-bounds memory access in v3 onion service descriptor + parsing. An attacker could exploit this bug by crafting an onion + service descriptor that would crash any client that tried to visit + it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also + tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei + Glazunov from Google's Project Zero. + + o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): + - Fix an indentation problem that led to a warning from GCC 11.1.1. + Fixes bug 40380; bugfix on 0.3.0.1-alpha. + + o Minor features (compatibility, backport from 0.4.6.4-rc): + - Remove an assertion function related to TLS renegotiation. It was + used nowhere outside the unit tests, and it was breaking + compilation with recent alpha releases of OpenSSL 3.0.0. Closes + ticket 40399. + + o Minor features (fallback directory list, backport from 0.4.6.2-alpha): + - Regenerate the list of fallback directories to contain a new set + of 200 relays. Closes ticket 40265. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/06/10. + + Changes in version 0.4.5.8 - 2021-05-10 Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes from the 0.4.6.x series.