diff --git a/ChangeLog b/ChangeLog index f6cd2b41e7..bc7f1055b9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,28 +1,16 @@ Changes in version 0.2.8.2-rc - 2016-03-?? - Tor 0.2.8.1-alpha is the first release candidate in its series. - XXXX write more here XXXX + Tor 0.2.8.1-alpha is the first release candidate in its series. XXXX + write more here XXXX o New system requirements: - Tor no longer supports versions of OpenSSL with a broken - implementation of counter mode. (This bug was present in OpenSSL - 1.0.0, and was fixed in OpenSSL 1.0.0a.) Tor still detects, but - no longer runs with, these versions. - - Tor no longer attempts to support platforms where the "time_t" type - is unsigned. (To the best of our knowledge, only OpenVMS does this, - and Tor has never actually built on OpenVMS.) Closes ticket 18184. - - o Removed features: - - Streamline relay-side hsdir handling: when relays consider whether - to accept an uploaded hidden service descriptor, they no longer - check whether they are one of the relays in the network that is - "supposed" to handle that descriptor. Implements ticket 18332. - - We no longer maintain an internal freelist in memarea.c. Allocators - should be good enough to make this code unnecessary, and it's doubtful - that it ever had any performance benefit. - - o Major bugfixes (dns proxy mode, crash): - - Avoid crashing when running as a DNS proxy. Fixes bug 16248; bugfix on - 0.2.0.1-alpha. Patch from 'cypherpunks'. + implementation of counter mode. (This bug was present in OpenSSL + 1.0.0, and was fixed in OpenSSL 1.0.0a.) Tor still detects, but no + longer runs with, these versions. + - Tor no longer attempts to support platforms where the "time_t" + type is unsigned. (To the best of our knowledge, only OpenVMS does + this, and Tor has never actually built on OpenVMS.) Closes + ticket 18184. o Major bugfixes (security, pointers): - Avoid a difficult-to-trigger heap corruption attack when extending @@ -31,20 +19,28 @@ Changes in version 0.2.8.2-rc - 2016-03-?? incompletely. Reported by Guido Vranken. o Major bugfixes (compilation): - - Repair hardened builds under the clang compiler. Previously, - our use of _FORTIFY_SOURCE would conflict with clang's address + - Repair hardened builds under the clang compiler. Previously, our + use of _FORTIFY_SOURCE would conflict with clang's address sanitizer. Fixes bug 14821; bugfix on 0.2.5.4-alpha. o Major bugfixes (crash on shutdown): - Correctly handle detaching circuits from cmuxes when doing - circuit_free_all() on shutdown. Fixes bug 18116; bugfix on - 0.2.8.1-alpha. + circuit_free_all() on shutdown. Fixes bug 18116; bugfix + on 0.2.8.1-alpha. + + o Major bugfixes (dns proxy mode, crash): + - Avoid crashing when running as a DNS proxy. Fixes bug 16248; + bugfix on 0.2.0.1-alpha. Patch from 'cypherpunks'. o Major bugfixes (relays, bridge clients): - - Ensure relays always allow IPv4 OR and Dir connections. - Ensure bridge clients use the address configured in the bridge line. - Fixes bug 18348; bugfix on 0.2.8.1-alpha. - Reported by sysrqb, patch by teor. + - Ensure relays always allow IPv4 OR and Dir connections. Ensure + bridge clients use the address configured in the bridge line. + Fixes bug 18348; bugfix on 0.2.8.1-alpha. Reported by sysrqb, + patch by teor. + + o Minor features: + - Update geoip and geoip6 to the February 2 2016 Maxmind GeoLite2 + Country database. o Minor feature (IPv6): - Add ClientPreferIPv6DirPort, which is set to 0 by default. If set @@ -53,22 +49,21 @@ Changes in version 0.2.8.2-rc - 2016-03-?? avoids using IPv4 for client OR and directory connections. - Try harder to fulfil IP version restrictions ClientUseIPv4 0 and ClientUseIPv6 0; and the preferences ClientPreferIPv6ORPort and - ClientPreferIPv6DirPort. - Closes ticket 17840; patch by "teor". + ClientPreferIPv6DirPort. Closes ticket 17840; patch by "teor". o Minor features (bug-resistance): - - Make Tor survive errors involving connections without a corresponding - event object. Previously we'd fail with an assertion; now we produce a - log message. Related to bug 16248. + - Make Tor survive errors involving connections without a + corresponding event object. Previously we'd fail with an + assertion; now we produce a log message. Related to bug 16248. o Minor features (build): - - Detect systems with FreeBSD-derived kernels (such as GNU/kFreeBSD) as - having possible IPfW support. Closes ticket 18448. Patch from + - Detect systems with FreeBSD-derived kernels (such as GNU/kFreeBSD) + as having possible IPfW support. Closes ticket 18448. Patch from Steven Chamberlain. o Minor features (code hardening): - - Use tor_snprintf() and tor_vsnprintf() even in external and - low-level code, to harden against accidental failures to NUL- + - Use tor_snprintf() and tor_vsnprintf() even in external and low- + level code, to harden against accidental failures to NUL- terminate. Part of ticket 17852. Patch from 'jsturgix'. Found with Flawfinder. @@ -77,11 +72,11 @@ Changes in version 0.2.8.2-rc - 2016-03-?? appropriate locations. Closes ticket 17732. o Minor features (crypto): - - Fix a segfault during startup: If unix socket was configured as + - Fix a segfault during startup: If unix socket was configured as listener (such as a ControlSocket or a SocksPort unix socket), and tor was started as root but not configured to switch to another user, tor would segfault while trying to string compare a NULL - value. Fixes bug 18261; bugfix on 0.2.8.1-alpha. Patch by weasel. + value. Fixes bug 18261; bugfix on 0.2.8.1-alpha. Patch by weasel. - Validate the Diffie-Hellman hard coded parameters and ensure that p is a safe prime, and g is suitable. Closes ticket 18221. @@ -90,41 +85,57 @@ Changes in version 0.2.8.2-rc - 2016-03-?? Country database. o Minor features (robustness): - - Exit immediately with an error message if the code attempts to - use libevent without having initialized it. This should resolve - some frequently-made mistakes in our unit tests. Closes ticket - 18241. + - Exit immediately with an error message if the code attempts to use + libevent without having initialized it. This should resolve some + frequently-made mistakes in our unit tests. Closes ticket 18241. o Minor features (unix domain sockets): - Since some operating systems do not consider the actual modes on a UNIX domain socket itself, tor does not allow creating such a socket in a directory that is group or world accessible if it is - supposed to be private. Likewise, it will not allow only group - accessible sockets in a world accessible directory. - However, on some operating systems this is unnecessary, so - add a per-socket option called RelaxDirModeCheck. - Closes ticket 18458. Patch by weasel. + supposed to be private. Likewise, it will not allow only group + accessible sockets in a world accessible directory. However, on + some operating systems this is unnecessary, so add a per-socket + option called RelaxDirModeCheck. Closes ticket 18458. Patch + by weasel. - o Minor features: - - Update geoip and geoip6 to the February 2 2016 Maxmind GeoLite2 - Country database. + o Minor bugfixes (exit policies, security): + - Refresh an exit relay's exit policy when interface addresses + change. Previously, tor only refreshed the exit policy when the + configured external address changed. Fixes bug 18208; bugfix on + tor 0.2.7.3. Patch by "teor". + + o Minor bugfixes (security, hidden services): + - Prevent hidden services connecting to client-supplied rendezvous + addresses that are reserved as internal or multicast. Fixes bug + 8976; bugfix on b7c172c9e in tor-0.2.3.21. Patch by "dgoulet" + and "teor". + + o Minor bugfixes (security, win32): + - Set SO_EXCLUSIVEADDRUSE on Win32 to avoid a local port-stealing + attack. Fixes bug 18123; bugfix on all tor versions. Patch + by "teor". + + o Minor bugfixes: + - Bridges now refuse "rendezvous2" (hidden service descriptor) + publish attempts. Suggested by ticket 18332. o Minor bugfixes (build): - - Do not link the unit tests against both the testing and non-testing - versions of the static libraries. Fixes bug 18490; bugfix on - 0.2.7.1-alpha. + - Do not link the unit tests against both the testing and non- + testing versions of the static libraries. Fixes bug 18490; bugfix + on 0.2.7.1-alpha. o Minor bugfixes (client): - Count receipt of new microdescriptors as progress towards bootstrapping. Now, when a user who has set EntryNodes finishes bootstrapping, Tor automatically repopulates the guard set based - on this new directory information. Fixes bug 16825; bugfix on - 0.2.3.1-alpha. + on this new directory information. Fixes bug 16825; bugfix + on 0.2.3.1-alpha. o Minor bugfixes (code correctness): - - Update to the latest version of Trunnel, which tries harder - to avoid generating code that can invoke memcpy(p,NULL,0). - Bug found by clang address sanitizer. Fixes bug 18373; bugfix + - Update to the latest version of Trunnel, which tries harder to + avoid generating code that can invoke memcpy(p,NULL,0). Bug found + by clang address sanitizer. Fixes bug 18373; bugfix on 0.2.7.2-alpha. o Minor bugfixes (configuration): @@ -134,44 +145,37 @@ Changes in version 0.2.8.2-rc - 2016-03-?? o Minor bugfixes (containers): - If we somehow attempt to construct a heap with more than 1073741822 elements, avoid an integer overflow when maintaining - the heap property. Fixes bug 18296; bugfix on 0.1.2.1-alpha. + the heap property. Fixes bug 18296; bugfix on 0.1.2.1-alpha. o Minor bugfixes (correctness): - - Fix a bad memory handling bug that would occur if we had queued - a cell on a channel's incoming queue. Fortunately, we can't actually - queue a cell like that as our code is constructed today, but it's best - to avoid this kind of error, even if there isn't any code that triggers - it today. Fixes bug 18570; bugfix on 0.2.4.4-alpha. + - Fix a bad memory handling bug that would occur if we had queued a + cell on a channel's incoming queue. Fortunately, we can't actually + queue a cell like that as our code is constructed today, but it's + best to avoid this kind of error, even if there isn't any code + that triggers it today. Fixes bug 18570; bugfix on 0.2.4.4-alpha. o Minor bugfixes (crypto, static analysis): - - Silence spurious clang-scan warnings in the ed25519_donna code - by explicitly initialising some objects. - Fixes bug 18384; bugfix on 0f3eeca9 in 0.2.7.2-alpha. - Patch by "teor". + - Silence spurious clang-scan warnings in the ed25519_donna code by + explicitly initialising some objects. Fixes bug 18384; bugfix on + 0f3eeca9 in 0.2.7.2-alpha. Patch by "teor". o Minor bugfixes (directory): - When generating a URL for a directory server on an IPv6 address, - wrap the IPv6 address in square brackets. Fixes bug 18051; - bugfix on 0.2.3.9-alpha. Patch from Malek. - - o Minor bugfixes (exit policies, security): - - Refresh an exit relay's exit policy when interface addresses change. - Previously, tor only refreshed the exit policy when the configured - external address changed. - Fixes bug 18208; bugfix on tor 0.2.7.3. Patch by "teor". + wrap the IPv6 address in square brackets. Fixes bug 18051; bugfix + on 0.2.3.9-alpha. Patch from Malek. o Minor bugfixes (hidden service client): - Seven very fast consecutive requests to the same .onion address triggers 7 descriptor fetches. The first six each pick a directory (there are 6 overall) and the seventh one wasn't able to pick one - which was triggering a close on all current directory connections. It - has been fixed by not closing them if we have pending directory fetch. - Fixes bug 15937; bugfix on tor-0.2.7.1-alpha. + which was triggering a close on all current directory connections. + It has been fixed by not closing them if we have pending directory + fetch. Fixes bug 15937; bugfix on tor-0.2.7.1-alpha. o Minor bugfixes (hidden service, control port): - Add the onion address to the HS_DESC event for the UPLOADED action - both on success or failure. It was previously hardcoded with UNKNOWN. - Fixes bug 16023; bugfix on 0.2.7.2-alpha. + both on success or failure. It was previously hardcoded with + UNKNOWN. Fixes bug 16023; bugfix on 0.2.7.2-alpha. o Minor bugfixes (logging): - Scrub service in from "unrecognized service ID" log messages. @@ -179,77 +183,69 @@ Changes in version 0.2.8.2-rc - 2016-03-?? o Minor bugfixes (memory safety): - Avoid freeing an uninitialised pointer when opening a socket fails - in get_interface_addresses_ioctl. - Fixes bug 18454; bugfix on 9f06ec0c in tor-0.2.3.11-alpha. - Reported by "toralf" and "cypherpunks", patch by "teor". + in get_interface_addresses_ioctl. Fixes bug 18454; bugfix on + 9f06ec0c in tor-0.2.3.11-alpha. Reported by "toralf" and + "cypherpunks", patch by "teor". - Correctly duplicate addresses in get_interface_address6_list. - Fixes bug 18454; bugfix on 110765f5 in tor-0.2.8.1-alpha. - Reported by "toralf", patch by "cypherpunks". + Fixes bug 18454; bugfix on 110765f5 in tor-0.2.8.1-alpha. Reported + by "toralf", patch by "cypherpunks". o Minor bugfixes (private directory): - - Prevent a race condition when creating private directories. - Fixes part of bug 17852; bugfix on 0.2pre13. Part of ticket - 17852. Patch from 'jsturgix'. Found with Flawfinder. + - Prevent a race condition when creating private directories. Fixes + part of bug 17852; bugfix on 0.2pre13. Part of ticket 17852. Patch + from 'jsturgix'. Found with Flawfinder. o Minor bugfixes (sandbox): - - Allow the setrlimit syscall, and the prlimit and prlimit64 syscalls, - which some libc implementations - use under the hood. Fixes bug 15221; bugfix on 0.2.5.1-alpha. - - o Minor bugfixes (security, hidden services): - - Prevent hidden services connecting to client-supplied rendezvous - addresses that are reserved as internal or multicast. - Fixes bug 8976; bugfix on b7c172c9e in tor-0.2.3.21. - Patch by "dgoulet" and "teor". - - o Minor bugfixes (security, win32): - - Set SO_EXCLUSIVEADDRUSE on Win32 to avoid a local port-stealing - attack. - Fixes bug 18123; bugfix on all tor versions. Patch by "teor". + - Allow the setrlimit syscall, and the prlimit and prlimit64 + syscalls, which some libc implementations use under the hood. + Fixes bug 15221; bugfix on 0.2.5.1-alpha. o Minor bugfixes (test networks, IPv6): - Allow internal IPv6 addresses in descriptors in test networks. - Fixes bug 17153; bugfix on 6b4af1071 in 0.2.3.16-alpha. - Patch by "teor", reported by "karsten". + Fixes bug 17153; bugfix on 6b4af1071 in 0.2.3.16-alpha. Patch by + "teor", reported by "karsten". o Minor bugfixes (testing): - - We no longer disable assertions in the unit tests when coverage - is enabled. Instead, we require you to say --disable-asserts-in-tests + - We no longer disable assertions in the unit tests when coverage is + enabled. Instead, we require you to say --disable-asserts-in-tests to the configure script if you need assertions disabled in the unit tests (for example, if you want to perform branch coverage). Fixes bug 18242; bugfix on 0.2.7.1-alpha. - o Minor bugfixes: - - Bridges now refuse "rendezvous2" (hidden service descriptor) - publish attempts. Suggested by ticket 18332. - o Code simplification and refactoring: - - Quote all the string interpolations in configure.ac -- even - those which we are pretty sure can't contain spaces. Closes - ticket 17744. Patch from "zerosion". - - Remove specialized code for non-inplace AES_CTR. 99% of our AES - is inplace, so there's no need to have a separate implementation - for the non-inplace code. Closes ticket 18258. Patch from - Malek. + - Quote all the string interpolations in configure.ac -- even those + which we are pretty sure can't contain spaces. Closes ticket + 17744. Patch from "zerosion". + - Remove specialized code for non-inplace AES_CTR. 99% of our AES is + inplace, so there's no need to have a separate implementation for + the non-inplace code. Closes ticket 18258. Patch from Malek. - Simplify return types for some crypto functions that can't - actually fail. Patch from Hassan Alsibyani. Closes ticket - 18259. + actually fail. Patch from Hassan Alsibyani. Closes ticket 18259. o Dependency updates: - - Tor now uses Autoconf version 2.63 or later, and Automake 1.11 or later - (released in 2008 and 2009 respectively). If you are building Tor from - the git repository instead of from the source distribution, and your - tools are older than this, you will need to upgrade. - Closes ticket 17732. + - Tor now uses Autoconf version 2.63 or later, and Automake 1.11 or + later (released in 2008 and 2009 respectively). If you are + building Tor from the git repository instead of from the source + distribution, and your tools are older than this, you will need to + upgrade. Closes ticket 17732. o Documentation: - - Change build messages to refer to "Fedora" instead of "Fedora Core", - and "dnf" instead of "yum". Closes tickets 18459 and 18426. + - Change build messages to refer to "Fedora" instead of "Fedora + Core", and "dnf" instead of "yum". Closes tickets 18459 and 18426. Patches from "icanhasaccount" and "cypherpunks". + o Removed features: + - Streamline relay-side hsdir handling: when relays consider whether + to accept an uploaded hidden service descriptor, they no longer + check whether they are one of the relays in the network that is + "supposed" to handle that descriptor. Implements ticket 18332. + - We no longer maintain an internal freelist in memarea.c. + Allocators should be good enough to make this code unnecessary, + and it's doubtful that it ever had any performance benefit. + o Testing: - - Fix several warnings from clang's address sanitizer produced in the - unit tests. + - Fix several warnings from clang's address sanitizer produced in + the unit tests. - Treat backtrace test failures as expected on FreeBSD until we solve bug 17808. Closes ticket 18204.