mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 05:03:43 +01:00
release: Update ChangeLog/ReleaseNotes with latest releases
Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
parent
fbfda1b661
commit
bbc29f4a11
212
ChangeLog
212
ChangeLog
@ -1,3 +1,215 @@
|
||||
Changes in version 0.4.7.9 - 2022-08-11
|
||||
This version contains several major fixes aimed at reducing memory pressure on
|
||||
relays and possible side-channel. It also contains a major bugfix related to
|
||||
congestion control also aimed at reducing memory pressure on relays.
|
||||
Finally, there is last one major bugfix related to Vanguard L2 layer node
|
||||
selection.
|
||||
|
||||
We strongly recommend to upgrade to this version especially for Exit relays
|
||||
in order to help the network defend against this ongoing DDoS.
|
||||
|
||||
o Major bugfixes (congestion control):
|
||||
- Implement RFC3742 Limited Slow Start. Congestion control was
|
||||
overshooting the congestion window during slow start, particularly
|
||||
for onion service activity. With this fix, we now update the
|
||||
congestion window more often during slow start, as well as dampen
|
||||
the exponential growth when the congestion window grows above a
|
||||
capping parameter. This should reduce the memory increases guard
|
||||
relays were seeing, as well as allow us to set lower queue limits
|
||||
to defend against ongoing DoS attacks. Fixes bug 40642; bugfix
|
||||
on 0.4.7.5-alpha.
|
||||
|
||||
o Major bugfixes (relay):
|
||||
- Remove OR connections btrack subsystem entries when the connections
|
||||
close normally. Before this, we would only remove the entry on error and
|
||||
thus leaking memory for each normal OR connections. Fixes bug 40604;
|
||||
bugfix on 0.4.0.1-alpha.
|
||||
- Stop sending TRUNCATED cell and instead close the circuit from which we
|
||||
received a DESTROY cell. This makes every relay in the circuit path to
|
||||
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
|
||||
|
||||
o Major bugfixes (vanguards):
|
||||
- We had omitted some checks for whether our vanguards (second layer
|
||||
guards from proposal 333) overlapped. Now make sure to pick each
|
||||
of them to be independent. Also, change the design to allow them
|
||||
to come from the same family. Fixes bug 40639; bugfix
|
||||
on 0.4.7.1-alpha.
|
||||
|
||||
o Minor features (dirauth):
|
||||
- Add a torrc option to control the Guard flag bandwidth threshold
|
||||
percentile. Closes ticket 40652.
|
||||
- Add an AuthDirVoteGuard torrc option that can allow authorities to
|
||||
assign the Guard flag to the given fingerprints/country code/IPs.
|
||||
This is a needed feature mostly for defense purposes in case a DoS
|
||||
hits the network and relay start losing the Guard flags too fast.
|
||||
- Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE,
|
||||
TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable
|
||||
from torrc.
|
||||
|
||||
o Minor features (fallbackdir):
|
||||
- Regenerate fallback directories generated on August 11, 2022.
|
||||
|
||||
o Minor features (geoip data):
|
||||
- Update the geoip files to match the IPFire Location Database, as
|
||||
retrieved on 2022/08/11.
|
||||
|
||||
o Minor bugfixes (congestion control):
|
||||
- Add a check for an integer underflow condition that might happen
|
||||
in cases where the system clock is stopped, the ORconn is blocked,
|
||||
and the endpoint sends more than a congestion window worth of non-
|
||||
data control cells at once. This would cause a large congestion
|
||||
window to be calculated instead of a small one. No security
|
||||
impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha.
|
||||
|
||||
o Minor bugfixes (defense in depth):
|
||||
- Change a test in the netflow padding code to make it more
|
||||
_obviously_ safe against remotely triggered crashes. (It was safe
|
||||
against these before, but not obviously so.) Fixes bug 40645;
|
||||
bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (relay):
|
||||
- Do not propagate either forward or backward a DESTROY remote reason when
|
||||
closing a circuit in order to avoid a possible side channel. Fixes bug
|
||||
40649; bugfix on 0.1.2.4-alpha.
|
||||
|
||||
|
||||
Changes in version 0.4.6.11 - 2022-08-11
|
||||
This version contains two major fixes aimed at reducing memory pressure on
|
||||
relays and possible side-channel. The rest of the fixes were backported for
|
||||
stability or safety purposes.
|
||||
|
||||
This is the very LAST version of this series. As of August 1st 2022, it is
|
||||
end-of-life (EOL). We thus strongly recommend to upgrade to the latest
|
||||
stable of the 0.4.7.x series.
|
||||
|
||||
o Major bugfixes (relay):
|
||||
- Remove OR connections btrack subsystem entries when the connections
|
||||
close normally. Before this, we would only remove the entry on error and
|
||||
thus leaking memory for each normal OR connections. Fixes bug 40604;
|
||||
bugfix on 0.4.0.1-alpha.
|
||||
- Stop sending TRUNCATED cell and instead close the circuit from which we
|
||||
received a DESTROY cell. This makes every relay in the circuit path to
|
||||
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
|
||||
|
||||
o Minor features (fallbackdir):
|
||||
- Regenerate fallback directories generated on August 11, 2022.
|
||||
|
||||
o Minor features (geoip data):
|
||||
- Update the geoip files to match the IPFire Location Database, as
|
||||
retrieved on 2022/08/11.
|
||||
|
||||
o Minor features (linux seccomp2 sandbox):
|
||||
- Permit the clone3 syscall, which is apparently used in glibc-2.34
|
||||
and later. Closes ticket 40590.
|
||||
|
||||
o Minor bugfixes (controller, path bias):
|
||||
- When a circuit's path is specified, in full or in part, from the
|
||||
controller API, do not count that circuit towards our path-bias
|
||||
calculations. (Doing so was incorrect, since we cannot tell
|
||||
whether the controller is selecting relays randomly.) Resolves a
|
||||
"Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha.
|
||||
|
||||
o Minor bugfixes (defense in depth):
|
||||
- Change a test in the netflow padding code to make it more
|
||||
_obviously_ safe against remotely triggered crashes. (It was safe
|
||||
against these before, but not obviously so.) Fixes bug 40645;
|
||||
bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (linux seccomp2 sandbox):
|
||||
- Allow the rseq system call in the sandbox. This solves a crash
|
||||
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
|
||||
40601; bugfix on 0.3.5.11.
|
||||
|
||||
o Minor bugfixes (metrics port, onion service):
|
||||
- The MetricsPort line for an onion service with multiple ports are now
|
||||
unique that is one line per port. Before this, all ports of an onion
|
||||
service would be on the same line which violates the Prometheus rules of
|
||||
unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (onion service, client):
|
||||
- Fix a fatal assert due to a guard subsystem recursion triggered by
|
||||
the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (performance, DoS):
|
||||
- Fix one case of a not-especially viable denial-of-service attack
|
||||
found by OSS-Fuzz in our consensus-diff parsing code. This attack
|
||||
causes a lot small of memory allocations and then immediately
|
||||
frees them: this is only slow when running with all the sanitizers
|
||||
enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (relay):
|
||||
- Do not propagate either forward or backward a DESTROY remote reason when
|
||||
closing a circuit in order to avoid a possible side channel. Fixes bug
|
||||
40649; bugfix on 0.1.2.4-alpha.
|
||||
|
||||
|
||||
Changes in version 0.4.5.13 - 2022-08-11
|
||||
This version contains two major fixes aimed at reducing memory pressure on
|
||||
relays and possible side-channel. The rest of the fixes were backported for
|
||||
stability or safety purposes. We strongly recommend to upgrade your relay to
|
||||
this version or, ideally, to the latest stable of the 0.4.7.x series.
|
||||
|
||||
o Major bugfixes (relay):
|
||||
- Remove OR connections btrack subsystem entries when the connections
|
||||
close normally. Before this, we would only remove the entry on error and
|
||||
thus leaking memory for each normal OR connections. Fixes bug 40604;
|
||||
bugfix on 0.4.0.1-alpha.
|
||||
- Stop sending TRUNCATED cell and instead close the circuit from which we
|
||||
received a DESTROY cell. This makes every relay in the circuit path to
|
||||
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
|
||||
|
||||
o Minor features (fallbackdir):
|
||||
- Regenerate fallback directories generated on August 11, 2022.
|
||||
|
||||
o Minor features (geoip data):
|
||||
- Update the geoip files to match the IPFire Location Database, as
|
||||
retrieved on 2022/08/11.
|
||||
|
||||
o Minor features (linux seccomp2 sandbox):
|
||||
- Permit the clone3 syscall, which is apparently used in glibc-2.34
|
||||
and later. Closes ticket 40590.
|
||||
|
||||
o Minor bugfixes (controller, path bias):
|
||||
- When a circuit's path is specified, in full or in part, from the
|
||||
controller API, do not count that circuit towards our path-bias
|
||||
calculations. (Doing so was incorrect, since we cannot tell
|
||||
whether the controller is selecting relays randomly.) Resolves a
|
||||
"Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha.
|
||||
|
||||
o Minor bugfixes (defense in depth):
|
||||
- Change a test in the netflow padding code to make it more
|
||||
_obviously_ safe against remotely triggered crashes. (It was safe
|
||||
against these before, but not obviously so.) Fixes bug 40645;
|
||||
bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (linux seccomp2 sandbox):
|
||||
- Allow the rseq system call in the sandbox. This solves a crash
|
||||
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
|
||||
40601; bugfix on 0.3.5.11.
|
||||
|
||||
o Minor bugfixes (metrics port, onion service):
|
||||
- The MetricsPort line for an onion service with multiple ports are now
|
||||
unique that is one line per port. Before this, all ports of an onion
|
||||
service would be on the same line which violates the Prometheus rules of
|
||||
unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (onion service, client):
|
||||
- Fix a fatal assert due to a guard subsystem recursion triggered by
|
||||
the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (performance, DoS):
|
||||
- Fix one case of a not-especially viable denial-of-service attack
|
||||
found by OSS-Fuzz in our consensus-diff parsing code. This attack
|
||||
causes a lot small of memory allocations and then immediately
|
||||
frees them: this is only slow when running with all the sanitizers
|
||||
enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (relay):
|
||||
- Do not propagate either forward or backward a DESTROY remote reason when
|
||||
closing a circuit in order to avoid a possible side channel. Fixes bug
|
||||
40649; bugfix on 0.1.2.4-alpha.
|
||||
|
||||
|
||||
Changes in version 0.4.7.8 - 2022-06-17
|
||||
This version fixes several bugfixes including a High severity security issue
|
||||
categorized as a Denial of Service. Everyone running an earlier version
|
||||
|
212
ReleaseNotes
212
ReleaseNotes
@ -2,6 +2,218 @@ This document summarizes new features and bugfixes in each stable
|
||||
release of Tor. If you want to see more detailed descriptions of the
|
||||
changes in each development snapshot, see the ChangeLog file.
|
||||
|
||||
Changes in version 0.4.7.9 - 2022-08-11
|
||||
This version contains several major fixes aimed at reducing memory pressure on
|
||||
relays and possible side-channel. It also contains a major bugfix related to
|
||||
congestion control also aimed at reducing memory pressure on relays.
|
||||
Finally, there is last one major bugfix related to Vanguard L2 layer node
|
||||
selection.
|
||||
|
||||
We strongly recommend to upgrade to this version especially for Exit relays
|
||||
in order to help the network defend against this ongoing DDoS.
|
||||
|
||||
o Major bugfixes (congestion control):
|
||||
- Implement RFC3742 Limited Slow Start. Congestion control was
|
||||
overshooting the congestion window during slow start, particularly
|
||||
for onion service activity. With this fix, we now update the
|
||||
congestion window more often during slow start, as well as dampen
|
||||
the exponential growth when the congestion window grows above a
|
||||
capping parameter. This should reduce the memory increases guard
|
||||
relays were seeing, as well as allow us to set lower queue limits
|
||||
to defend against ongoing DoS attacks. Fixes bug 40642; bugfix
|
||||
on 0.4.7.5-alpha.
|
||||
|
||||
o Major bugfixes (relay):
|
||||
- Remove OR connections btrack subsystem entries when the connections
|
||||
close normally. Before this, we would only remove the entry on error and
|
||||
thus leaking memory for each normal OR connections. Fixes bug 40604;
|
||||
bugfix on 0.4.0.1-alpha.
|
||||
- Stop sending TRUNCATED cell and instead close the circuit from which we
|
||||
received a DESTROY cell. This makes every relay in the circuit path to
|
||||
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
|
||||
|
||||
o Major bugfixes (vanguards):
|
||||
- We had omitted some checks for whether our vanguards (second layer
|
||||
guards from proposal 333) overlapped. Now make sure to pick each
|
||||
of them to be independent. Also, change the design to allow them
|
||||
to come from the same family. Fixes bug 40639; bugfix
|
||||
on 0.4.7.1-alpha.
|
||||
|
||||
o Minor features (dirauth):
|
||||
- Add a torrc option to control the Guard flag bandwidth threshold
|
||||
percentile. Closes ticket 40652.
|
||||
- Add an AuthDirVoteGuard torrc option that can allow authorities to
|
||||
assign the Guard flag to the given fingerprints/country code/IPs.
|
||||
This is a needed feature mostly for defense purposes in case a DoS
|
||||
hits the network and relay start losing the Guard flags too fast.
|
||||
- Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE,
|
||||
TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable
|
||||
from torrc.
|
||||
|
||||
o Minor features (fallbackdir):
|
||||
- Regenerate fallback directories generated on August 11, 2022.
|
||||
|
||||
o Minor features (geoip data):
|
||||
- Update the geoip files to match the IPFire Location Database, as
|
||||
retrieved on 2022/08/11.
|
||||
|
||||
o Minor bugfixes (congestion control):
|
||||
- Add a check for an integer underflow condition that might happen
|
||||
in cases where the system clock is stopped, the ORconn is blocked,
|
||||
and the endpoint sends more than a congestion window worth of non-
|
||||
data control cells at once. This would cause a large congestion
|
||||
window to be calculated instead of a small one. No security
|
||||
impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha.
|
||||
|
||||
o Minor bugfixes (defense in depth):
|
||||
- Change a test in the netflow padding code to make it more
|
||||
_obviously_ safe against remotely triggered crashes. (It was safe
|
||||
against these before, but not obviously so.) Fixes bug 40645;
|
||||
bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (relay):
|
||||
- Do not propagate either forward or backward a DESTROY remote reason when
|
||||
closing a circuit in order to avoid a possible side channel. Fixes bug
|
||||
40649; bugfix on 0.1.2.4-alpha.
|
||||
|
||||
|
||||
Changes in version 0.4.6.11 - 2022-08-11
|
||||
This version contains two major fixes aimed at reducing memory pressure on
|
||||
relays and possible side-channel. The rest of the fixes were backported for
|
||||
stability or safety purposes.
|
||||
|
||||
This is the very LAST version of this series. As of August 1st 2022, it is
|
||||
end-of-life (EOL). We thus strongly recommend to upgrade to the latest
|
||||
stable of the 0.4.7.x series.
|
||||
|
||||
o Major bugfixes (relay):
|
||||
- Remove OR connections btrack subsystem entries when the connections
|
||||
close normally. Before this, we would only remove the entry on error and
|
||||
thus leaking memory for each normal OR connections. Fixes bug 40604;
|
||||
bugfix on 0.4.0.1-alpha.
|
||||
- Stop sending TRUNCATED cell and instead close the circuit from which we
|
||||
received a DESTROY cell. This makes every relay in the circuit path to
|
||||
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
|
||||
|
||||
o Minor features (fallbackdir):
|
||||
- Regenerate fallback directories generated on August 11, 2022.
|
||||
|
||||
o Minor features (geoip data):
|
||||
- Update the geoip files to match the IPFire Location Database, as
|
||||
retrieved on 2022/08/11.
|
||||
|
||||
o Minor features (linux seccomp2 sandbox):
|
||||
- Permit the clone3 syscall, which is apparently used in glibc-2.34
|
||||
and later. Closes ticket 40590.
|
||||
|
||||
o Minor bugfixes (controller, path bias):
|
||||
- When a circuit's path is specified, in full or in part, from the
|
||||
controller API, do not count that circuit towards our path-bias
|
||||
calculations. (Doing so was incorrect, since we cannot tell
|
||||
whether the controller is selecting relays randomly.) Resolves a
|
||||
"Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha.
|
||||
|
||||
o Minor bugfixes (defense in depth):
|
||||
- Change a test in the netflow padding code to make it more
|
||||
_obviously_ safe against remotely triggered crashes. (It was safe
|
||||
against these before, but not obviously so.) Fixes bug 40645;
|
||||
bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (linux seccomp2 sandbox):
|
||||
- Allow the rseq system call in the sandbox. This solves a crash
|
||||
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
|
||||
40601; bugfix on 0.3.5.11.
|
||||
|
||||
o Minor bugfixes (metrics port, onion service):
|
||||
- The MetricsPort line for an onion service with multiple ports are now
|
||||
unique that is one line per port. Before this, all ports of an onion
|
||||
service would be on the same line which violates the Prometheus rules of
|
||||
unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (onion service, client):
|
||||
- Fix a fatal assert due to a guard subsystem recursion triggered by
|
||||
the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (performance, DoS):
|
||||
- Fix one case of a not-especially viable denial-of-service attack
|
||||
found by OSS-Fuzz in our consensus-diff parsing code. This attack
|
||||
causes a lot small of memory allocations and then immediately
|
||||
frees them: this is only slow when running with all the sanitizers
|
||||
enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (relay):
|
||||
- Do not propagate either forward or backward a DESTROY remote reason when
|
||||
closing a circuit in order to avoid a possible side channel. Fixes bug
|
||||
40649; bugfix on 0.1.2.4-alpha.
|
||||
|
||||
|
||||
Changes in version 0.4.5.13 - 2022-08-11
|
||||
This version contains two major fixes aimed at reducing memory pressure on
|
||||
relays and possible side-channel. The rest of the fixes were backported for
|
||||
stability or safety purposes. We strongly recommend to upgrade your relay to
|
||||
this version or, ideally, to the latest stable of the 0.4.7.x series.
|
||||
|
||||
o Major bugfixes (relay):
|
||||
- Remove OR connections btrack subsystem entries when the connections
|
||||
close normally. Before this, we would only remove the entry on error and
|
||||
thus leaking memory for each normal OR connections. Fixes bug 40604;
|
||||
bugfix on 0.4.0.1-alpha.
|
||||
- Stop sending TRUNCATED cell and instead close the circuit from which we
|
||||
received a DESTROY cell. This makes every relay in the circuit path to
|
||||
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
|
||||
|
||||
o Minor features (fallbackdir):
|
||||
- Regenerate fallback directories generated on August 11, 2022.
|
||||
|
||||
o Minor features (geoip data):
|
||||
- Update the geoip files to match the IPFire Location Database, as
|
||||
retrieved on 2022/08/11.
|
||||
|
||||
o Minor features (linux seccomp2 sandbox):
|
||||
- Permit the clone3 syscall, which is apparently used in glibc-2.34
|
||||
and later. Closes ticket 40590.
|
||||
|
||||
o Minor bugfixes (controller, path bias):
|
||||
- When a circuit's path is specified, in full or in part, from the
|
||||
controller API, do not count that circuit towards our path-bias
|
||||
calculations. (Doing so was incorrect, since we cannot tell
|
||||
whether the controller is selecting relays randomly.) Resolves a
|
||||
"Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha.
|
||||
|
||||
o Minor bugfixes (defense in depth):
|
||||
- Change a test in the netflow padding code to make it more
|
||||
_obviously_ safe against remotely triggered crashes. (It was safe
|
||||
against these before, but not obviously so.) Fixes bug 40645;
|
||||
bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (linux seccomp2 sandbox):
|
||||
- Allow the rseq system call in the sandbox. This solves a crash
|
||||
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
|
||||
40601; bugfix on 0.3.5.11.
|
||||
|
||||
o Minor bugfixes (metrics port, onion service):
|
||||
- The MetricsPort line for an onion service with multiple ports are now
|
||||
unique that is one line per port. Before this, all ports of an onion
|
||||
service would be on the same line which violates the Prometheus rules of
|
||||
unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (onion service, client):
|
||||
- Fix a fatal assert due to a guard subsystem recursion triggered by
|
||||
the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (performance, DoS):
|
||||
- Fix one case of a not-especially viable denial-of-service attack
|
||||
found by OSS-Fuzz in our consensus-diff parsing code. This attack
|
||||
causes a lot small of memory allocations and then immediately
|
||||
frees them: this is only slow when running with all the sanitizers
|
||||
enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (relay):
|
||||
- Do not propagate either forward or backward a DESTROY remote reason when
|
||||
closing a circuit in order to avoid a possible side channel. Fixes bug
|
||||
40649; bugfix on 0.1.2.4-alpha.
|
||||
|
||||
|
||||
Changes in version 0.4.7.8 - 2022-06-17
|
||||
This version fixes several bugfixes including a High severity security issue
|
||||
categorized as a Denial of Service. Everyone running an earlier version
|
||||
|
Loading…
Reference in New Issue
Block a user