changelog for 0.4.3.7

ChangeLog

@@ -1,3 +1,118 @@
+Changes in version 0.4.3.7 - 2020-11-12
+  Tor 0.4.3.7 backports several bugfixes from later releases. It
+  includes a fix for TROVE-2020-005, a security issue that could be
+  used, under certain cases, by an adversary to observe traffic patterns
+  on a limited number of circuits intended for a different relay.
+
+  Please be aware that support for the 0.4.3.x series will end on 15
+  January 2020. Please upgrade to 0.4.4.x or 0.4.5.x before then, or
+  downgrade to 0.3.5.x, which will be supported until at least 1
+  February 2022.
+
+  o Major features (fallback directory list, backport form 0.4.4.3-alpha):
+    - Replace the 148 fallback directories originally included in Tor
+      0.4.1.4-rc (of which around 105 are still functional) with a list
+      of 144 fallbacks generated in July 2020. Closes ticket 40061.
+
+  o Major bugfixes (security, backport from 0.4.5.1-alpha):
+    - When completing a channel, relays now check more thoroughly to
+      make sure that it matches any pending circuits before attaching
+      those circuits. Previously, address correctness and Ed25519
+      identities were not checked in this case, but only when extending
+      circuits on an existing channel. Fixes bug 40080; bugfix on
+      0.2.7.2-alpha. Resolves TROVE-2020-005.
+
+  o Major bugfixes (NSS, backport from 0.4.4.3-alpha):
+    - When running with NSS enabled, make sure that NSS knows to expect
+      nonblocking sockets. Previously, we set our TCP sockets as
+      nonblocking, but did not tell NSS, which in turn could lead to
+      unexpected blocking behavior. Fixes bug 40035; bugfix
+      on 0.3.5.1-alpha.
+
+  o Minor features (security, backport from 0.4.4.4-rc):
+    - Channels using obsolete versions of the Tor link protocol are no
+      longer allowed to circumvent address-canonicity checks. (This is
+      only a minor issue, since such channels have no way to set ed25519
+      keys, and therefore should always be rejected for circuits that
+      specify ed25519 identities.) Closes ticket 40081.
+
+  o Minor features (subprotocol versions, backport from 0.4.5.1-alpha):
+    - Tor no longer allows subprotocol versions larger than 63.
+      Previously version numbers up to UINT32_MAX were allowed, which
+      significantly complicated our code. Implements proposal 318;
+      closes ticket 40133.
+
+  o Minor features (tests, backport from 0.4.4.5):
+    - Our "make check" target now runs the unit tests in 8 parallel
+      chunks. Doing this speeds up hardened CI builds by more than a
+      factor of two. Closes ticket 40098.
+
+  o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha):
+    - Fix a rendezvous cache unit test that was triggering an underflow
+      on the global rend cache allocation. Fixes bug 40125; bugfix
+      on 0.2.8.1-alpha.
+    - Fix another rendezvous cache unit test that was triggering an
+      underflow on the global rend cache allocation. Fixes bug 40126;
+      bugfix on 0.2.8.1-alpha.
+
+  o Minor bugfixes (correctness, buffers, backport from 0.4.4.4-rc):
+    - Fix a correctness bug that could cause an assertion failure if we
+      ever tried using the buf_move_all() function with an empty input
+      buffer. As far as we know, no released versions of Tor do this.
+      Fixes bug 40076; bugfix on 0.3.3.1-alpha.
+
+  o Minor bugfixes (logging, backport from 0.4.5.1-alpha):
+    - Remove a debug logging statement that uselessly spammed the logs.
+      Fixes bug 40135; bugfix on 0.3.5.0-alpha.
+
+  o Minor bugfixes (rate limiting, bridges, pluggable transports, backport from 0.4.4.4-rc):
+    - On a bridge, treat all connections from an ExtORPort as remote by
+      default for the purposes of rate-limiting. Previously, bridges
+      would treat the connection as local unless they explicitly
+      received a "USERADDR" command. ExtORPort connections still count
+      as local if there is a USERADDR command with an explicit local
+      address. Fixes bug 33747; bugfix on 0.2.5.1-alpha.
+
+  o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha):
+    - Avoid a fatal assert() when failing to create a listener
+      connection for an address that was in use. Fixes bug 40073; bugfix
+      on 0.3.5.1-alpha.
+
+  o Minor bugfixes (relay, usability, backport from 0.4.4.3-alpha):
+    - Adjust the rules for when to warn about having too many
+      connections to other relays. Previously we'd tolerate up to 1.5
+      connections per relay on average. Now we tolerate more connections
+      for directory authorities, and raise the number of total
+      connections we need to see before we warn. Fixes bug 33880; bugfix
+      on 0.3.1.1-alpha.
+
+  o Minor bugfixes (tests, 0.4.4.5):
+    - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run
+      on its own. Previously, it would exit with an error. Fixes bug
+      40099; bugfix on 0.2.8.1-alpha.
+
+  o Minor bugfixes (v2 onion services, backport from 0.4.5.1-alpha):
+    - For HSFETCH commands on v2 onion services addresses, check the
+      length of bytes decoded, not the base32 length. Fixes bug 34400;
+      bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.
+
+  o Minor bugfixes (windows, backport from 0.4.4.4-rc):
+    - Fix a bug that prevented Tor from starting if its log file grew
+      above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha.
+
+  o Deprecated features (onion service v2, backport form 0.4.4.2-alpha):
+    - Add a deprecation warning for version 2 onion services. Closes
+      ticket 40003.
+
+  o Removed features (backport from 0.4.4.3-alpha):
+    - Our "check-local" test target no longer tries to use the
+      Coccinelle semantic patching tool parse all the C files. While it
+      is a good idea to try to make sure Coccinelle works on our C
+      before we run a Coccinelle patch, doing so on every test run has
+      proven to be disruptive. You can still run this tool manually with
+      "make check-cocci". Closes ticket 40030. ticket 40030.
+
+
 Changes in version 0.4.3.6 - 2020-07-09
   Tor 0.4.3.6 backports several bugfixes from later releases, including
   some affecting usability.

changes/bug31036

@@ -1,3 +0,0 @@
-  o Minor bugfixes (windows):
-    - Fix a bug that prevented Tor from starting if its log file
-      grew above 2GB.  Fixes bug 31036; bugfix on 0.2.1.8-alpha.

changes/bug34400

@@ -1,5 +0,0 @@
-  o Minor bugfixes (v2 onion services):
-    - For HSFETCH commands on v2 onion services addresses, check the length of
-      bytes decoded, not the base32 length. This takes the behavior introduced
-      in commit a517daa56f5848d25ba79617a1a7b82ed2b0a7c0 into consideration.
-      Fixes bug 34400; bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.

changes/bug40076

@@ -1,5 +0,0 @@
-  o Minor bugfixes (correctness, buffers):
-    - Fix a correctness bug that could cause an assertion failure if we ever
-      tried using the buf_move_all() function with an empty input.
-      As far as we know, no released versions of Tor do this.
-      Fixes bug 40076; bugfix on 0.3.3.1-alpha.

changes/bug40080

@@ -1,6 +0,0 @@
-  o Minor bugfixes (security):
-    - When completing a channel, relays now check more thoroughly to make
-      sure that it matches any pending circuits before attaching those
-      circuits. Previously, address correctness and Ed25519 identities were not
-      checked in this case, but only when extending circuits on an existing
-      channel. Fixes bug 40080; bugfix on 0.2.7.2-alpha.

changes/bug40099

@@ -1,4 +0,0 @@
-  o Minor bugfixes (tests):
-    - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run on
-      its own.  Previously, it would exit with an error.
-      Fixes bug 40099; bugfix on 0.2.8.1-alpha.

changes/parallel_unit_test

@@ -1,4 +0,0 @@
-  o Minor features (tests):
-    - Our "make check" target now runs the unit tests in 8 parallel chunks.
-      Doing this speeds up hardened CI builds by more than a factor of two.
-      Closes ticket 40098.

changes/ticket33747

@@ -1,7 +0,0 @@
-  o Minor bugfixes (rate limiting, bridges, pluggable transports):
-    - On a bridge, treat all connections from an ExtORPort as remote
-      by default for the purposes of rate-limiting. Previously,
-      bridges would treat the connection as local unless they explicitly
-      received a "USERADDR" command.  ExtORPort connections still
-      count as local if there is a USERADDR command with an  explicit local
-      address. Fixes bug 33747; bugfix on 0.2.5.1-alpha.

changes/ticket33880

@@ -1,6 +0,0 @@
-  o Minor bugfixes (relay, usability):
-    - Adjust the rules for when to warn about having too many connections
-      to other relays. Previously we'd tolerate up to 1.5 connections
-      per relay on average.  Now we tolerate more connections for directory
-      authorities, and raise the number of total connections we need
-      to see before we warn.  Fixes bug 33880; bugfix on 0.3.1.1-alpha.

changes/ticket40003

@@ -1,3 +0,0 @@
-  o Deprecated features (onion service v2):
-    - Add deprecation warning for onion service version 2. Tor now logs a
-      warning once if a version 2 service is configured. Closes ticket 40003.

changes/ticket40030

@@ -1,7 +0,0 @@
-  o Removed features:
-    - Our "check-local" test target no longer tries to use the Coccinelle
-      semantic patching tool parse all the C files.  While it is a good idea
-      to try to make sure Coccinelle works on our C before we run a
-      Coccinelle patch, doing so on every test run has proven to be disruptive.
-      You can still run this tool manually with "make check-cocci". Closes
-      ticket 40030.

changes/ticket40035

@@ -1,5 +0,0 @@
-  o Major bugfixes (NSS):
-    - When running with NSS enabled, make sure that NSS knows to expect
-      nonblocking sockets. Previously, we set our TCP sockets as blocking,
-      but did not tell NSS about the fact, which in turn could lead to
-      unexpected blocking behavior. Fixes bug 40035; bugfix on 0.3.5.1-alpha.

changes/ticket40061

@@ -1,5 +0,0 @@
-  o Major feature (fallback directory list):
-    - Replace the 148 fallback directories originally included in
-      Tor 0.4.1.4-rc (of which around 105 are still functional) with
-      a list of 144 fallbacks generated in July 2020.
-      Closes ticket 40061.

changes/ticket40073

@@ -1,3 +0,0 @@
-  o Minor bugfixes (relay configuration, crash):
-    - Avoid a fatal assert() when failing to create a listener connection for an
-      address that was in use. Fixes bug 40073; bugfix on 0.3.5.1-alpha.

changes/ticket40081

@@ -1,6 +0,0 @@
-  o Minor features (security):
-    - Channels using obsolete versions of the Tor link protocol are no
-      longer allowed to circumvent address-canonicity checks.
-      (This is only a minor issue, since such channels have no way to
-      set ed25519 keys, and therefore should always be rejected.)
-      Closes ticket 40081.

changes/ticket40125

@@ -1,4 +0,0 @@
-  o Testing (onion service v2):
-    - Fix a rendezvous cache unit test that was triggering an underflow on the
-      global rend cache allocation. Fixes bug 40125; bugfix on
-      0.2.8.1-alpha.

changes/ticket40126

@@ -1,4 +0,0 @@
-  o Testing (onion service v2):
-    - Fix another rendezvous cache unit test that was triggering an underflow on the
-      global rend cache allocation. Fixes bug 40126; bugfix on
-      0.2.8.1-alpha.

changes/ticket40133

@@ -1,5 +0,0 @@
-  o Minor features (protocol simplification):
-    - Tor no longer allows subprotocol versions larger than 63.  Previously
-      versions up to UINT32_MAX were allowed, which significantly complicated
-      our code.
-      Implements proposal 318; closes ticket 40133.

changes/ticket40135

@@ -1,3 +0,0 @@
-  o Minor bugfix (logging):
-    - Remove a debug logging statement that uselessly spam the logs. Fixes bug
-      40135; bugfix on 0.3.5.0-alpha.