Integrate another entry to the changelog; twiddle changelog more

Work on style, add some sentences to blurb, explain that 10468 is more
general than had been described, etc etc

ChangeLog

@@ -1,6 +1,7 @@
-Changes in version 0.2.5.4-alpha - 2014-04-??
+Changes in version 0.2.5.4-alpha - 2014-04-25
   This release includes several security and performance improvements
-  for clients and relays, including XXX
+  for clients and relays, including blacklisting authority signing keys
+  that were used while susceptible to the OpenSSL "heartbleed" bug,
 
   This release marks end-of-line for Tor 0.2.2.x; those Tor versions
   have accumulated many known flaws; everyone should upgrade.
@@ -17,29 +18,30 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
       functions previously accounted between 3 and 7% of CPU usage on
       some busy relays. Resolves ticket 9841.
     - Avoid wasting CPU when extending a circuit over a channel that is
-      nearly out of circuit IDs. Previously, we would in the worst case
-      do a linear scan over all possible circuit IDs before deciding
-      that we had exhausted our possibilities. Now, we try at most 64
-      random circuit IDs before deciding that we probably won't succeed.
-      Fix for a possible root cause of ticket #11553.
+      nearly out of circuit IDs. Previously, we would do a linear scan
+      over possible circuit IDs before finding one or deciding that we
+      had exhausted our possibilities. Now, we try at most 64 random
+      circuit IDs before deciding that we probably won't succeed. Fix
+      for a possible root cause of ticket #11553.
 
   o Major features (seccomp2 sandbox, Linux only):
     - The seccomp2 sandbox can now run a test network for multiple hours
       without crashing. The sandbox is still experimental, and more bugs
       will probably turn up. To try it, enable "Sandbox 1" on a Linux
-      host.
+      host. Resolves ticket 11351.
     - Strengthen sandbox code: the sandbox can now test the arguments
-      for rename(), and blocks _sysctl() entirely.
+      for rename(), and blocks _sysctl() entirely. Resolves part of
+      ticket 11351.
     - When the sandbox blocks a system call, it now tries to log a stack
       trace before exiting. Resolves ticket 11465.
 
   o Major bugfixes (TLS cipher selection):
     - The relay ciphersuite list is now generated automatically based on
       uniform criteria, and includes all OpenSSL ciphersuites with
-      acceptable strength and forward secrecy. Previously, we had
-      omitted some perfectly fine ciphersuites. Resolves bugs #11513,
-      #11492, #11498, #11499. Bugs reported by 'cypherpunks'. Bugfix on
-      0.2.4.8-alpha.
+      acceptable strength and forward secrecy. Previously, we had left
+      some perfectly fine ciphersuites unsupported due to omission or
+      typo. Resolves bugs #11513, #11492, #11498, #11499. Bugs reported
+      by 'cypherpunks'. Bugfix on 0.2.4.8-alpha.
     - Relays now trust themselves to have a better view than clients of
       which TLS ciphersuites are better than others. (Thanks to #11513,
       the relay list is now well-considered, whereas the client list has
@@ -49,9 +51,9 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
       Resolves ticket 11528.
     - Clients now try to advertise the same list of ciphersuites as
       Firefox 28. This change enables selection of (fast) GCM
-      ciphersuites, disables some strange old ciphers, and disables the
-      ECDH (not to be confused with ECDHE) ciphersuites. Resolves ticket
-      11438.
+      ciphersuites, disables some strange old ciphers, and stops
+      advertising the ECDH (not to be confused with ECDHE) ciphersuites.
+      Resolves ticket 11438.
 
   o Major bugfixes (undefined behavior):
     - Fix various instances of undefined behavior in channeltls.c,
@@ -119,6 +121,14 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
       check strftime return values more often. In some cases all we can
       do is report a warning, but this may help prevent deeper bugs from
       going unnoticed. Closes ticket 8787.
+    - Fix numerous warnings from the clang "scan-build" static analyzer.
+      Some of these are programming style issues; some of them are false
+      positives that indicated awkward code; some are undefined behavior
+      cases related to constructing (but not using) invalid pointers;
+      some are assumptions about API behavior; some are using
+      sizeof(ptr) when sizeof(*ptr) would be correct; and one or two are
+      genuine bugs that weren't reachable from the rest of the program.
+      Fixes bug 8793; bugfixes on many, many tor versions.
 
   o Minor features (bridge client):
     - Report a more useful failure message when we can't connect to a
@@ -227,8 +237,9 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
       Fixes bug 11437; bugfix on 0.2.4.7-alpha.
 
   o Minor bugfixes (IPv6):
-    - When using DNSPort and AutomapHostsOnResolve, respond to AAAA
-      requests with AAAA automapped answers. Fixes bug 10468; bugfix on
+    - When using DNSPort, try to respond to AAAA requests with AAAA
+      answers. Previously, we hadn't looked at the request type when
+      deciding which answer type to prefer. Fixes bug 10468; bugfix on
       0.2.4.7-alpha.
 
   o Documentation:

changes/bug8793

@@ -1,9 +0,0 @@
-  o Minor bugfixes:
-    - Fix numerous warnings from the clang "scan-build" static analyzer.
-      Some of these are programming style issues; some of them are false
-      positives that indicated awkward code; some are undefined behavior
-      cases related to constructing (but not using) invalid pointers;
-      some are assumptions about API behavior; some are using
-      sizeof(ptr) when sizeof(*ptr) would be correct; and one or two are
-      genuine bugs that weren't reachable from the rest of the
-      program. Fixes bug 8793; bugfixes on many, many tor versions.