release: Update ChangeLog/ReleaseNotes with latest releases

Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
David Goulet 2022-08-11 11:19:19 -04:00
parent fbfda1b661
commit bbc29f4a11
2 changed files with 424 additions and 0 deletions

212
ChangeLog
View File

@ -1,3 +1,215 @@
Changes in version 0.4.7.9 - 2022-08-11
This version contains several major fixes aimed at reducing memory pressure on
relays and possible side-channel. It also contains a major bugfix related to
congestion control also aimed at reducing memory pressure on relays.
Finally, there is last one major bugfix related to Vanguard L2 layer node
selection.
We strongly recommend to upgrade to this version especially for Exit relays
in order to help the network defend against this ongoing DDoS.
o Major bugfixes (congestion control):
- Implement RFC3742 Limited Slow Start. Congestion control was
overshooting the congestion window during slow start, particularly
for onion service activity. With this fix, we now update the
congestion window more often during slow start, as well as dampen
the exponential growth when the congestion window grows above a
capping parameter. This should reduce the memory increases guard
relays were seeing, as well as allow us to set lower queue limits
to defend against ongoing DoS attacks. Fixes bug 40642; bugfix
on 0.4.7.5-alpha.
o Major bugfixes (relay):
- Remove OR connections btrack subsystem entries when the connections
close normally. Before this, we would only remove the entry on error and
thus leaking memory for each normal OR connections. Fixes bug 40604;
bugfix on 0.4.0.1-alpha.
- Stop sending TRUNCATED cell and instead close the circuit from which we
received a DESTROY cell. This makes every relay in the circuit path to
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
o Major bugfixes (vanguards):
- We had omitted some checks for whether our vanguards (second layer
guards from proposal 333) overlapped. Now make sure to pick each
of them to be independent. Also, change the design to allow them
to come from the same family. Fixes bug 40639; bugfix
on 0.4.7.1-alpha.
o Minor features (dirauth):
- Add a torrc option to control the Guard flag bandwidth threshold
percentile. Closes ticket 40652.
- Add an AuthDirVoteGuard torrc option that can allow authorities to
assign the Guard flag to the given fingerprints/country code/IPs.
This is a needed feature mostly for defense purposes in case a DoS
hits the network and relay start losing the Guard flags too fast.
- Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE,
TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable
from torrc.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 11, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/08/11.
o Minor bugfixes (congestion control):
- Add a check for an integer underflow condition that might happen
in cases where the system clock is stopped, the ORconn is blocked,
and the endpoint sends more than a congestion window worth of non-
data control cells at once. This would cause a large congestion
window to be calculated instead of a small one. No security
impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha.
o Minor bugfixes (defense in depth):
- Change a test in the netflow padding code to make it more
_obviously_ safe against remotely triggered crashes. (It was safe
against these before, but not obviously so.) Fixes bug 40645;
bugfix on 0.3.1.1-alpha.
o Minor bugfixes (relay):
- Do not propagate either forward or backward a DESTROY remote reason when
closing a circuit in order to avoid a possible side channel. Fixes bug
40649; bugfix on 0.1.2.4-alpha.
Changes in version 0.4.6.11 - 2022-08-11
This version contains two major fixes aimed at reducing memory pressure on
relays and possible side-channel. The rest of the fixes were backported for
stability or safety purposes.
This is the very LAST version of this series. As of August 1st 2022, it is
end-of-life (EOL). We thus strongly recommend to upgrade to the latest
stable of the 0.4.7.x series.
o Major bugfixes (relay):
- Remove OR connections btrack subsystem entries when the connections
close normally. Before this, we would only remove the entry on error and
thus leaking memory for each normal OR connections. Fixes bug 40604;
bugfix on 0.4.0.1-alpha.
- Stop sending TRUNCATED cell and instead close the circuit from which we
received a DESTROY cell. This makes every relay in the circuit path to
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 11, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/08/11.
o Minor features (linux seccomp2 sandbox):
- Permit the clone3 syscall, which is apparently used in glibc-2.34
and later. Closes ticket 40590.
o Minor bugfixes (controller, path bias):
- When a circuit's path is specified, in full or in part, from the
controller API, do not count that circuit towards our path-bias
calculations. (Doing so was incorrect, since we cannot tell
whether the controller is selecting relays randomly.) Resolves a
"Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha.
o Minor bugfixes (defense in depth):
- Change a test in the netflow padding code to make it more
_obviously_ safe against remotely triggered crashes. (It was safe
against these before, but not obviously so.) Fixes bug 40645;
bugfix on 0.3.1.1-alpha.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow the rseq system call in the sandbox. This solves a crash
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
40601; bugfix on 0.3.5.11.
o Minor bugfixes (metrics port, onion service):
- The MetricsPort line for an onion service with multiple ports are now
unique that is one line per port. Before this, all ports of an onion
service would be on the same line which violates the Prometheus rules of
unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (onion service, client):
- Fix a fatal assert due to a guard subsystem recursion triggered by
the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (performance, DoS):
- Fix one case of a not-especially viable denial-of-service attack
found by OSS-Fuzz in our consensus-diff parsing code. This attack
causes a lot small of memory allocations and then immediately
frees them: this is only slow when running with all the sanitizers
enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (relay):
- Do not propagate either forward or backward a DESTROY remote reason when
closing a circuit in order to avoid a possible side channel. Fixes bug
40649; bugfix on 0.1.2.4-alpha.
Changes in version 0.4.5.13 - 2022-08-11
This version contains two major fixes aimed at reducing memory pressure on
relays and possible side-channel. The rest of the fixes were backported for
stability or safety purposes. We strongly recommend to upgrade your relay to
this version or, ideally, to the latest stable of the 0.4.7.x series.
o Major bugfixes (relay):
- Remove OR connections btrack subsystem entries when the connections
close normally. Before this, we would only remove the entry on error and
thus leaking memory for each normal OR connections. Fixes bug 40604;
bugfix on 0.4.0.1-alpha.
- Stop sending TRUNCATED cell and instead close the circuit from which we
received a DESTROY cell. This makes every relay in the circuit path to
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 11, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/08/11.
o Minor features (linux seccomp2 sandbox):
- Permit the clone3 syscall, which is apparently used in glibc-2.34
and later. Closes ticket 40590.
o Minor bugfixes (controller, path bias):
- When a circuit's path is specified, in full or in part, from the
controller API, do not count that circuit towards our path-bias
calculations. (Doing so was incorrect, since we cannot tell
whether the controller is selecting relays randomly.) Resolves a
"Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha.
o Minor bugfixes (defense in depth):
- Change a test in the netflow padding code to make it more
_obviously_ safe against remotely triggered crashes. (It was safe
against these before, but not obviously so.) Fixes bug 40645;
bugfix on 0.3.1.1-alpha.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow the rseq system call in the sandbox. This solves a crash
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
40601; bugfix on 0.3.5.11.
o Minor bugfixes (metrics port, onion service):
- The MetricsPort line for an onion service with multiple ports are now
unique that is one line per port. Before this, all ports of an onion
service would be on the same line which violates the Prometheus rules of
unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (onion service, client):
- Fix a fatal assert due to a guard subsystem recursion triggered by
the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (performance, DoS):
- Fix one case of a not-especially viable denial-of-service attack
found by OSS-Fuzz in our consensus-diff parsing code. This attack
causes a lot small of memory allocations and then immediately
frees them: this is only slow when running with all the sanitizers
enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (relay):
- Do not propagate either forward or backward a DESTROY remote reason when
closing a circuit in order to avoid a possible side channel. Fixes bug
40649; bugfix on 0.1.2.4-alpha.
Changes in version 0.4.7.8 - 2022-06-17
This version fixes several bugfixes including a High severity security issue
categorized as a Denial of Service. Everyone running an earlier version

View File

@ -2,6 +2,218 @@ This document summarizes new features and bugfixes in each stable
release of Tor. If you want to see more detailed descriptions of the
changes in each development snapshot, see the ChangeLog file.
Changes in version 0.4.7.9 - 2022-08-11
This version contains several major fixes aimed at reducing memory pressure on
relays and possible side-channel. It also contains a major bugfix related to
congestion control also aimed at reducing memory pressure on relays.
Finally, there is last one major bugfix related to Vanguard L2 layer node
selection.
We strongly recommend to upgrade to this version especially for Exit relays
in order to help the network defend against this ongoing DDoS.
o Major bugfixes (congestion control):
- Implement RFC3742 Limited Slow Start. Congestion control was
overshooting the congestion window during slow start, particularly
for onion service activity. With this fix, we now update the
congestion window more often during slow start, as well as dampen
the exponential growth when the congestion window grows above a
capping parameter. This should reduce the memory increases guard
relays were seeing, as well as allow us to set lower queue limits
to defend against ongoing DoS attacks. Fixes bug 40642; bugfix
on 0.4.7.5-alpha.
o Major bugfixes (relay):
- Remove OR connections btrack subsystem entries when the connections
close normally. Before this, we would only remove the entry on error and
thus leaking memory for each normal OR connections. Fixes bug 40604;
bugfix on 0.4.0.1-alpha.
- Stop sending TRUNCATED cell and instead close the circuit from which we
received a DESTROY cell. This makes every relay in the circuit path to
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
o Major bugfixes (vanguards):
- We had omitted some checks for whether our vanguards (second layer
guards from proposal 333) overlapped. Now make sure to pick each
of them to be independent. Also, change the design to allow them
to come from the same family. Fixes bug 40639; bugfix
on 0.4.7.1-alpha.
o Minor features (dirauth):
- Add a torrc option to control the Guard flag bandwidth threshold
percentile. Closes ticket 40652.
- Add an AuthDirVoteGuard torrc option that can allow authorities to
assign the Guard flag to the given fingerprints/country code/IPs.
This is a needed feature mostly for defense purposes in case a DoS
hits the network and relay start losing the Guard flags too fast.
- Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE,
TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable
from torrc.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 11, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/08/11.
o Minor bugfixes (congestion control):
- Add a check for an integer underflow condition that might happen
in cases where the system clock is stopped, the ORconn is blocked,
and the endpoint sends more than a congestion window worth of non-
data control cells at once. This would cause a large congestion
window to be calculated instead of a small one. No security
impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha.
o Minor bugfixes (defense in depth):
- Change a test in the netflow padding code to make it more
_obviously_ safe against remotely triggered crashes. (It was safe
against these before, but not obviously so.) Fixes bug 40645;
bugfix on 0.3.1.1-alpha.
o Minor bugfixes (relay):
- Do not propagate either forward or backward a DESTROY remote reason when
closing a circuit in order to avoid a possible side channel. Fixes bug
40649; bugfix on 0.1.2.4-alpha.
Changes in version 0.4.6.11 - 2022-08-11
This version contains two major fixes aimed at reducing memory pressure on
relays and possible side-channel. The rest of the fixes were backported for
stability or safety purposes.
This is the very LAST version of this series. As of August 1st 2022, it is
end-of-life (EOL). We thus strongly recommend to upgrade to the latest
stable of the 0.4.7.x series.
o Major bugfixes (relay):
- Remove OR connections btrack subsystem entries when the connections
close normally. Before this, we would only remove the entry on error and
thus leaking memory for each normal OR connections. Fixes bug 40604;
bugfix on 0.4.0.1-alpha.
- Stop sending TRUNCATED cell and instead close the circuit from which we
received a DESTROY cell. This makes every relay in the circuit path to
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 11, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/08/11.
o Minor features (linux seccomp2 sandbox):
- Permit the clone3 syscall, which is apparently used in glibc-2.34
and later. Closes ticket 40590.
o Minor bugfixes (controller, path bias):
- When a circuit's path is specified, in full or in part, from the
controller API, do not count that circuit towards our path-bias
calculations. (Doing so was incorrect, since we cannot tell
whether the controller is selecting relays randomly.) Resolves a
"Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha.
o Minor bugfixes (defense in depth):
- Change a test in the netflow padding code to make it more
_obviously_ safe against remotely triggered crashes. (It was safe
against these before, but not obviously so.) Fixes bug 40645;
bugfix on 0.3.1.1-alpha.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow the rseq system call in the sandbox. This solves a crash
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
40601; bugfix on 0.3.5.11.
o Minor bugfixes (metrics port, onion service):
- The MetricsPort line for an onion service with multiple ports are now
unique that is one line per port. Before this, all ports of an onion
service would be on the same line which violates the Prometheus rules of
unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (onion service, client):
- Fix a fatal assert due to a guard subsystem recursion triggered by
the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (performance, DoS):
- Fix one case of a not-especially viable denial-of-service attack
found by OSS-Fuzz in our consensus-diff parsing code. This attack
causes a lot small of memory allocations and then immediately
frees them: this is only slow when running with all the sanitizers
enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (relay):
- Do not propagate either forward or backward a DESTROY remote reason when
closing a circuit in order to avoid a possible side channel. Fixes bug
40649; bugfix on 0.1.2.4-alpha.
Changes in version 0.4.5.13 - 2022-08-11
This version contains two major fixes aimed at reducing memory pressure on
relays and possible side-channel. The rest of the fixes were backported for
stability or safety purposes. We strongly recommend to upgrade your relay to
this version or, ideally, to the latest stable of the 0.4.7.x series.
o Major bugfixes (relay):
- Remove OR connections btrack subsystem entries when the connections
close normally. Before this, we would only remove the entry on error and
thus leaking memory for each normal OR connections. Fixes bug 40604;
bugfix on 0.4.0.1-alpha.
- Stop sending TRUNCATED cell and instead close the circuit from which we
received a DESTROY cell. This makes every relay in the circuit path to
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 11, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/08/11.
o Minor features (linux seccomp2 sandbox):
- Permit the clone3 syscall, which is apparently used in glibc-2.34
and later. Closes ticket 40590.
o Minor bugfixes (controller, path bias):
- When a circuit's path is specified, in full or in part, from the
controller API, do not count that circuit towards our path-bias
calculations. (Doing so was incorrect, since we cannot tell
whether the controller is selecting relays randomly.) Resolves a
"Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha.
o Minor bugfixes (defense in depth):
- Change a test in the netflow padding code to make it more
_obviously_ safe against remotely triggered crashes. (It was safe
against these before, but not obviously so.) Fixes bug 40645;
bugfix on 0.3.1.1-alpha.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow the rseq system call in the sandbox. This solves a crash
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
40601; bugfix on 0.3.5.11.
o Minor bugfixes (metrics port, onion service):
- The MetricsPort line for an onion service with multiple ports are now
unique that is one line per port. Before this, all ports of an onion
service would be on the same line which violates the Prometheus rules of
unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (onion service, client):
- Fix a fatal assert due to a guard subsystem recursion triggered by
the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (performance, DoS):
- Fix one case of a not-especially viable denial-of-service attack
found by OSS-Fuzz in our consensus-diff parsing code. This attack
causes a lot small of memory allocations and then immediately
frees them: this is only slow when running with all the sanitizers
enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (relay):
- Do not propagate either forward or backward a DESTROY remote reason when
closing a circuit in order to avoid a possible side channel. Fixes bug
40649; bugfix on 0.1.2.4-alpha.
Changes in version 0.4.7.8 - 2022-06-17
This version fixes several bugfixes including a High severity security issue
categorized as a Denial of Service. Everyone running an earlier version