mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 04:13:28 +01:00
Merge branch 'maint-0.2.1' into master
This commit is contained in:
commit
c3274c4c43
23
ChangeLog
23
ChangeLog
@ -60,7 +60,23 @@ Changes in version 0.2.2.1-alpha - 2009-??-??
|
||||
controllers.
|
||||
|
||||
|
||||
Changes in version 0.2.1.18 - 2009-07-24
|
||||
o Build fixes:
|
||||
- Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.
|
||||
|
||||
|
||||
Changes in version 0.2.1.17-rc - 2009-07-07
|
||||
Tor 0.2.1.17-rc marks the fourth -- and hopefully last -- release
|
||||
candidate for the 0.2.1.x series. It lays the groundwork for further
|
||||
client performance improvements, and also fixes a big bug with directory
|
||||
authorities that were causing them to assign Guard and Stable flags
|
||||
poorly.
|
||||
|
||||
The Windows bundles also finally include the geoip database that we
|
||||
thought we'd been shipping since 0.2.0.x (oops), and the OS X bundles
|
||||
should actually install Torbutton rather than giving you a cryptic
|
||||
failure message (oops).
|
||||
|
||||
o Major features:
|
||||
- Clients now use the bandwidth values in the consensus, rather than
|
||||
the bandwidth values in each relay descriptor. This approach opens
|
||||
@ -108,6 +124,9 @@ Changes in version 0.2.1.17-rc - 2009-07-07
|
||||
|
||||
|
||||
Changes in version 0.2.1.16-rc - 2009-06-20
|
||||
Tor 0.2.1.16-rc speeds up performance for fast exit relays, and fixes
|
||||
a bunch of minor bugs.
|
||||
|
||||
o Security fixes:
|
||||
- Fix an edge case where a malicious exit relay could convince a
|
||||
controller that the client's DNS question resolves to an internal IP
|
||||
@ -154,6 +173,10 @@ Changes in version 0.2.1.16-rc - 2009-06-20
|
||||
|
||||
|
||||
Changes in version 0.2.1.15-rc - 2009-05-25
|
||||
Tor 0.2.1.15-rc marks the second release candidate for the 0.2.1.x
|
||||
series. It fixes a major bug on fast exit relays, as well as a variety
|
||||
of more minor bugs.
|
||||
|
||||
o Major bugfixes (on 0.2.0.x):
|
||||
- Fix a timing-dependent, allocator-dependent, DNS-related crash bug
|
||||
that would occur on some exit nodes when DNS failures and timeouts
|
||||
|
@ -29,12 +29,11 @@ dist-rpm:
|
||||
pushd $$RPM_BUILD_DIR/SOURCES/; \
|
||||
tar zcf tor-$(VERSION).tar.gz ./; \
|
||||
popd; \
|
||||
rpmbuild -ba --define "_topdir $$RPM_BUILD_DIR" tor.spec; \
|
||||
LIBS=-lrt rpmbuild -ba --define "_topdir $$RPM_BUILD_DIR" tor.spec; \
|
||||
mv $$RPM_BUILD_DIR/SRPMS/* .; \
|
||||
mv $$RPM_BUILD_DIR/RPMS/* .; \
|
||||
rm -rf $$RPM_BUILD_DIR
|
||||
|
||||
|
||||
dist-osx:
|
||||
@if [ "x$(prefix)" != 'x/Library/Tor' ]; then \
|
||||
echo "Configure with --prefix=/Library/Tor, please"; \
|
||||
|
599
ReleaseNotes
599
ReleaseNotes
@ -3,6 +3,605 @@ This document summarizes new features and bugfixes in each stable release
|
||||
of Tor. If you want to see more detailed descriptions of the changes in
|
||||
each development snapshot, see the ChangeLog file.
|
||||
|
||||
Changes in version 0.2.1.18 - 2009-07-24
|
||||
o Major features (clients):
|
||||
- Start sending "bootstrap phase" status events to the controller,
|
||||
so it can keep the user informed of progress fetching directory
|
||||
information and establishing circuits. Also inform the controller
|
||||
if we think we're stuck at a particular bootstrap phase. Implements
|
||||
proposal 137.
|
||||
- Clients replace entry guards that were chosen more than a few months
|
||||
ago. This change should significantly improve client performance,
|
||||
especially once more people upgrade, since relays that have been
|
||||
a guard for a long time are currently overloaded.
|
||||
- Network status consensus documents and votes now contain bandwidth
|
||||
information for each relay. Clients use the bandwidth values
|
||||
in the consensus, rather than the bandwidth values in each
|
||||
relay descriptor. This approach opens the door to more accurate
|
||||
bandwidth estimates once the directory authorities start doing
|
||||
active measurements. Implements part of proposal 141.
|
||||
|
||||
o Major features (relays):
|
||||
- Disable and refactor some debugging checks that forced a linear scan
|
||||
over the whole server-side DNS cache. These accounted for over 50%
|
||||
of CPU time on a relatively busy exit node's gprof profile. Also,
|
||||
disable some debugging checks that appeared in exit node profile
|
||||
data. Found by Jacob.
|
||||
- New DirPortFrontPage option that takes an html file and publishes
|
||||
it as "/" on the DirPort. Now relay operators can provide a
|
||||
disclaimer without needing to set up a separate webserver. There's
|
||||
a sample disclaimer in contrib/tor-exit-notice.html.
|
||||
|
||||
o Major features (hidden services):
|
||||
- Make it possible to build hidden services that only certain clients
|
||||
are allowed to connect to. This is enforced at several points,
|
||||
so that unauthorized clients are unable to send INTRODUCE cells
|
||||
to the service, or even (depending on the type of authentication)
|
||||
to learn introduction points. This feature raises the bar for
|
||||
certain kinds of active attacks against hidden services. Design
|
||||
and code by Karsten Loesing. Implements proposal 121.
|
||||
- Relays now store and serve v2 hidden service descriptors by default,
|
||||
i.e., the new default value for HidServDirectoryV2 is 1. This is
|
||||
the last step in proposal 114, which aims to make hidden service
|
||||
lookups more reliable.
|
||||
|
||||
o Major features (path selection):
|
||||
- ExitNodes and Exclude*Nodes config options now allow you to restrict
|
||||
by country code ("{US}") or IP address or address pattern
|
||||
("255.128.0.0/16"). Patch from Robert Hogan. It still needs some
|
||||
refinement to decide what config options should take priority if
|
||||
you ask to both use a particular node and exclude it.
|
||||
|
||||
o Major features (misc):
|
||||
- When building a consensus, do not include routers that are down.
|
||||
This cuts down 30% to 40% on consensus size. Implements proposal
|
||||
138.
|
||||
- New TestingTorNetwork config option to allow adjustment of
|
||||
previously constant values that could slow bootstrapping. Implements
|
||||
proposal 135. Patch from Karsten.
|
||||
- Convert many internal address representations to optionally hold
|
||||
IPv6 addresses. Generate and accept IPv6 addresses in many protocol
|
||||
elements. Make resolver code handle nameservers located at IPv6
|
||||
addresses.
|
||||
- More work on making our TLS handshake blend in: modify the list
|
||||
of ciphers advertised by OpenSSL in client mode to even more
|
||||
closely resemble a common web browser. We cheat a little so that
|
||||
we can advertise ciphers that the locally installed OpenSSL doesn't
|
||||
know about.
|
||||
- Use the TLS1 hostname extension to more closely resemble browser
|
||||
behavior.
|
||||
|
||||
o Security fixes (anonymity/entropy):
|
||||
- Never use a connection with a mismatched address to extend a
|
||||
circuit, unless that connection is canonical. A canonical
|
||||
connection is one whose address is authenticated by the router's
|
||||
identity key, either in a NETINFO cell or in a router descriptor.
|
||||
- Implement most of proposal 110: The first K cells to be sent
|
||||
along a circuit are marked as special "early" cells; only K "early"
|
||||
cells will be allowed. Once this code is universal, we can block
|
||||
certain kinds of denial-of-service attack by requiring that EXTEND
|
||||
commands must be sent using an "early" cell.
|
||||
- Resume using OpenSSL's RAND_poll() for better (and more portable)
|
||||
cross-platform entropy collection again. We used to use it, then
|
||||
stopped using it because of a bug that could crash systems that
|
||||
called RAND_poll when they had a lot of fds open. It looks like the
|
||||
bug got fixed in late 2006. Our new behavior is to call RAND_poll()
|
||||
at startup, and to call RAND_poll() when we reseed later only if
|
||||
we have a non-buggy OpenSSL version.
|
||||
- When the client is choosing entry guards, now it selects at most
|
||||
one guard from a given relay family. Otherwise we could end up with
|
||||
all of our entry points into the network run by the same operator.
|
||||
Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.
|
||||
- Do not use or believe expired v3 authority certificates. Patch
|
||||
from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.
|
||||
- Drop begin cells to a hidden service if they come from the middle
|
||||
of a circuit. Patch from lark.
|
||||
- When we erroneously receive two EXTEND cells for the same circuit
|
||||
ID on the same connection, drop the second. Patch from lark.
|
||||
- Authorities now vote for the Stable flag for any router whose
|
||||
weighted MTBF is at least 5 days, regardless of the mean MTBF.
|
||||
- Clients now never report any stream end reason except 'MISC'.
|
||||
Implements proposal 148.
|
||||
|
||||
o Major bugfixes (crashes):
|
||||
- Parse dates and IPv4 addresses in a locale- and libc-independent
|
||||
manner, to avoid platform-dependent behavior on malformed input.
|
||||
- Fix a crash that occurs on exit nodes when a nameserver request
|
||||
timed out. Bugfix on 0.1.2.1-alpha; our CLEAR debugging code had
|
||||
been suppressing the bug since 0.1.2.10-alpha. Partial fix for
|
||||
bug 929.
|
||||
- Do not assume that a stack-allocated character array will be
|
||||
64-bit aligned on platforms that demand that uint64_t access is
|
||||
aligned. Possible fix for bug 604.
|
||||
- Resolve a very rare crash bug that could occur when the user forced
|
||||
a nameserver reconfiguration during the middle of a nameserver
|
||||
probe. Fixes bug 526. Bugfix on 0.1.2.1-alpha.
|
||||
- Avoid a "0 divided by 0" calculation when calculating router uptime
|
||||
at directory authorities. Bugfix on 0.2.0.8-alpha.
|
||||
- Fix an assertion bug in parsing policy-related options; possible fix
|
||||
for bug 811.
|
||||
- Rate-limit too-many-sockets messages: when they happen, they happen
|
||||
a lot and end up filling up the disk. Resolves bug 748.
|
||||
- Fix a race condition that could cause crashes or memory corruption
|
||||
when running as a server with a controller listening for log
|
||||
messages.
|
||||
- Avoid crashing when we have a policy specified in a DirPolicy or
|
||||
SocksPolicy or ReachableAddresses option with ports set on it,
|
||||
and we re-load the policy. May fix bug 996.
|
||||
- Fix an assertion failure on 64-bit platforms when we allocated
|
||||
memory right up to the end of a memarea, then realigned the memory
|
||||
one step beyond the end. Fixes a possible cause of bug 930.
|
||||
- Protect the count of open sockets with a mutex, so we can't
|
||||
corrupt it when two threads are closing or opening sockets at once.
|
||||
Fix for bug 939. Bugfix on 0.2.0.1-alpha.
|
||||
|
||||
o Major bugfixes (clients):
|
||||
- Discard router descriptors as we load them if they are more than
|
||||
five days old. Otherwise if Tor is off for a long time and then
|
||||
starts with cached descriptors, it will try to use the onion keys
|
||||
in those obsolete descriptors when building circuits. Fixes bug 887.
|
||||
- When we choose to abandon a new entry guard because we think our
|
||||
older ones might be better, close any circuits pending on that
|
||||
new entry guard connection. This fix should make us recover much
|
||||
faster when our network is down and then comes back. Bugfix on
|
||||
0.1.2.8-beta; found by lodger.
|
||||
- When Tor clients restart after 1-5 days, they discard all their
|
||||
cached descriptors as too old, but they still use the cached
|
||||
consensus document. This approach is good for robustness, but
|
||||
bad for performance: since they don't know any bandwidths, they
|
||||
end up choosing at random rather than weighting their choice by
|
||||
speed. Fixed by the above feature of putting bandwidths in the
|
||||
consensus.
|
||||
|
||||
o Major bugfixes (relays):
|
||||
- Relays were falling out of the networkstatus consensus for
|
||||
part of a day if they changed their local config but the
|
||||
authorities discarded their new descriptor as "not sufficiently
|
||||
different". Now directory authorities accept a descriptor as changed
|
||||
if BandwidthRate or BandwidthBurst changed. Partial fix for bug 962;
|
||||
patch by Sebastian.
|
||||
- Ensure that two circuits can never exist on the same connection
|
||||
with the same circuit ID, even if one is marked for close. This
|
||||
is conceivably a bugfix for bug 779; fixes a bug on 0.1.0.4-rc.
|
||||
- Directory authorities were neglecting to mark relays down in their
|
||||
internal histories if the relays fall off the routerlist without
|
||||
ever being found unreachable. So there were relays in the histories
|
||||
that haven't been seen for eight months, and are listed as being
|
||||
up for eight months. This wreaked havoc on the "median wfu" and
|
||||
"median mtbf" calculations, in turn making Guard and Stable flags
|
||||
wrong, hurting network performance. Fixes bugs 696 and 969. Bugfix
|
||||
on 0.2.0.6-alpha.
|
||||
|
||||
o Major bugfixes (hidden services):
|
||||
- When establishing a hidden service, introduction points that
|
||||
originate from cannibalized circuits were completely ignored
|
||||
and not included in rendezvous service descriptors. This might
|
||||
have been another reason for delay in making a hidden service
|
||||
available. Bugfix from long ago (0.0.9.x?)
|
||||
|
||||
o Major bugfixes (memory and resource management):
|
||||
- Fixed some memory leaks -- some quite frequent, some almost
|
||||
impossible to trigger -- based on results from Coverity.
|
||||
- Speed up parsing and cut down on memory fragmentation by using
|
||||
stack-style allocations for parsing directory objects. Previously,
|
||||
this accounted for over 40% of allocations from within Tor's code
|
||||
on a typical directory cache.
|
||||
- Use a Bloom filter rather than a digest-based set to track which
|
||||
descriptors we need to keep around when we're cleaning out old
|
||||
router descriptors. This speeds up the computation significantly,
|
||||
and may reduce fragmentation.
|
||||
|
||||
o New/changed config options:
|
||||
- Now NodeFamily and MyFamily config options allow spaces in
|
||||
identity fingerprints, so it's easier to paste them in.
|
||||
Suggested by Lucky Green.
|
||||
- Allow ports 465 and 587 in the default exit policy again. We had
|
||||
rejected them in 0.1.0.15, because back in 2005 they were commonly
|
||||
misconfigured and ended up as spam targets. We hear they are better
|
||||
locked down these days.
|
||||
- Make TrackHostExit mappings expire a while after their last use, not
|
||||
after their creation. Patch from Robert Hogan.
|
||||
- Add an ExcludeExitNodes option so users can list a set of nodes
|
||||
that should be be excluded from the exit node position, but
|
||||
allowed elsewhere. Implements proposal 151.
|
||||
- New --hush command-line option similar to --quiet. While --quiet
|
||||
disables all logging to the console on startup, --hush limits the
|
||||
output to messages of warning and error severity.
|
||||
- New configure/torrc options (--enable-geoip-stats,
|
||||
DirRecordUsageByCountry) to record how many IPs we've served
|
||||
directory info to in each country code, how many status documents
|
||||
total we've sent to each country code, and what share of the total
|
||||
directory requests we should expect to see.
|
||||
- Make outbound DNS packets respect the OutboundBindAddress setting.
|
||||
Fixes the bug part of bug 798. Bugfix on 0.1.2.2-alpha.
|
||||
- Allow separate log levels to be configured for different logging
|
||||
domains. For example, this allows one to log all notices, warnings,
|
||||
or errors, plus all memory management messages of level debug or
|
||||
higher, with: Log [MM] debug-err [*] notice-err file /var/log/tor.
|
||||
- Update to the "June 3 2009" ip-to-country file.
|
||||
|
||||
o Minor features (relays):
|
||||
- Raise the minimum rate limiting to be a relay from 20000 bytes
|
||||
to 20480 bytes (aka 20KB/s), to match our documentation. Also
|
||||
update directory authorities so they always assign the Fast flag
|
||||
to relays with 20KB/s of capacity. Now people running relays won't
|
||||
suddenly find themselves not seeing any use, if the network gets
|
||||
faster on average.
|
||||
- If we're a relay and we change our IP address, be more verbose
|
||||
about the reason that made us change. Should help track down
|
||||
further bugs for relays on dynamic IP addresses.
|
||||
- Exit servers can now answer resolve requests for ip6.arpa addresses.
|
||||
- Implement most of Proposal 152: allow specialized servers to permit
|
||||
single-hop circuits, and clients to use those servers to build
|
||||
single-hop circuits when using a specialized controller. Patch
|
||||
from Josh Albrecht. Resolves feature request 768.
|
||||
- When relays do their initial bandwidth measurement, don't limit
|
||||
to just our entry guards for the test circuits. Otherwise we tend
|
||||
to have multiple test circuits going through a single entry guard,
|
||||
which makes our bandwidth test less accurate. Fixes part of bug 654;
|
||||
patch contributed by Josh Albrecht.
|
||||
|
||||
o Minor features (directory authorities):
|
||||
- Try not to open more than one descriptor-downloading connection
|
||||
to an authority at once. This should reduce load on directory
|
||||
authorities. Fixes bug 366.
|
||||
- Add cross-certification to newly generated certificates, so that
|
||||
a signing key is enough information to look up a certificate. Start
|
||||
serving certificates by <identity digest, signing key digest>
|
||||
pairs. Implements proposal 157.
|
||||
- When a directory authority downloads a descriptor that it then
|
||||
immediately rejects, do not retry downloading it right away. Should
|
||||
save some bandwidth on authorities. Fix for bug 888. Patch by
|
||||
Sebastian Hahn.
|
||||
- Directory authorities now serve a /tor/dbg-stability.txt URL to
|
||||
help debug WFU and MTBF calculations.
|
||||
- In directory authorities' approved-routers files, allow
|
||||
fingerprints with or without space.
|
||||
|
||||
o Minor features (directory mirrors):
|
||||
- When a download gets us zero good descriptors, do not notify
|
||||
Tor that new directory information has arrived.
|
||||
- Servers support a new URL scheme for consensus downloads that
|
||||
allows the client to specify which authorities are trusted.
|
||||
The server then only sends the consensus if the client will trust
|
||||
it. Otherwise a 404 error is sent back. Clients use this
|
||||
new scheme when the server supports it (meaning it's running
|
||||
0.2.1.1-alpha or later). Implements proposal 134.
|
||||
|
||||
o Minor features (bridges):
|
||||
- If the bridge config line doesn't specify a port, assume 443.
|
||||
This makes bridge lines a bit smaller and easier for users to
|
||||
understand.
|
||||
- If we're using bridges and our network goes away, be more willing
|
||||
to forgive our bridges and try again when we get an application
|
||||
request.
|
||||
|
||||
o Minor features (hidden services):
|
||||
- When the client launches an introduction circuit, retry with a
|
||||
new circuit after 30 seconds rather than 60 seconds.
|
||||
- Launch a second client-side introduction circuit in parallel
|
||||
after a delay of 15 seconds (based on work by Christian Wilms).
|
||||
- Hidden services start out building five intro circuits rather
|
||||
than three, and when the first three finish they publish a service
|
||||
descriptor using those. Now we publish our service descriptor much
|
||||
faster after restart.
|
||||
- Drop the requirement to have an open dir port for storing and
|
||||
serving v2 hidden service descriptors.
|
||||
|
||||
o Minor features (build and packaging):
|
||||
- On Linux, use the prctl call to re-enable core dumps when the User
|
||||
option is set.
|
||||
- Try to make sure that the version of Libevent we're running with
|
||||
is binary-compatible with the one we built with. May address bug
|
||||
897 and others.
|
||||
- Add a new --enable-local-appdata configuration switch to change
|
||||
the default location of the datadir on win32 from APPDATA to
|
||||
LOCAL_APPDATA. In the future, we should migrate to LOCAL_APPDATA
|
||||
entirely. Patch from coderman.
|
||||
- Build correctly against versions of OpenSSL 0.9.8 or later that
|
||||
are built without support for deprecated functions.
|
||||
- On platforms with a maximum syslog string length, truncate syslog
|
||||
messages to that length ourselves, rather than relying on the
|
||||
system to do it for us.
|
||||
- Automatically detect MacOSX versions earlier than 10.4.0, and
|
||||
disable kqueue from inside Tor when running with these versions.
|
||||
We previously did this from the startup script, but that was no
|
||||
help to people who didn't use the startup script. Resolves bug 863.
|
||||
- Build correctly when configured to build outside the main source
|
||||
path. Patch from Michael Gold.
|
||||
- Disable GCC's strict alias optimization by default, to avoid the
|
||||
likelihood of its introducing subtle bugs whenever our code violates
|
||||
the letter of C99's alias rules.
|
||||
- Change the contrib/tor.logrotate script so it makes the new
|
||||
logs as "_tor:_tor" rather than the default, which is generally
|
||||
"root:wheel". Fixes bug 676, reported by Serge Koksharov.
|
||||
- Change our header file guard macros to be less likely to conflict
|
||||
with system headers. Adam Langley noticed that we were conflicting
|
||||
with log.h on Android.
|
||||
- Add a couple of extra warnings to --enable-gcc-warnings for GCC 4.3,
|
||||
and stop using a warning that had become unfixably verbose under
|
||||
GCC 4.3.
|
||||
- Use a lockfile to make sure that two Tor processes are not
|
||||
simultaneously running with the same datadir.
|
||||
- Allow OpenSSL to use dynamic locks if it wants.
|
||||
- Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.
|
||||
|
||||
o Minor features (controllers):
|
||||
- When generating circuit events with verbose nicknames for
|
||||
controllers, try harder to look up nicknames for routers on a
|
||||
circuit. (Previously, we would look in the router descriptors we had
|
||||
for nicknames, but not in the consensus.) Partial fix for bug 941.
|
||||
- New controller event NEWCONSENSUS that lists the networkstatus
|
||||
lines for every recommended relay. Now controllers like Torflow
|
||||
can keep up-to-date on which relays they should be using.
|
||||
- New controller event "clients_seen" to report a geoip-based summary
|
||||
of which countries we've seen clients from recently. Now controllers
|
||||
like Vidalia can show bridge operators that they're actually making
|
||||
a difference.
|
||||
- Add a 'getinfo status/clients-seen' controller command, in case
|
||||
controllers want to hear clients_seen events but connect late.
|
||||
- New CONSENSUS_ARRIVED event to note when a new consensus has
|
||||
been fetched and validated.
|
||||
- Add an internal-use-only __ReloadTorrcOnSIGHUP option for
|
||||
controllers to prevent SIGHUP from reloading the configuration.
|
||||
Fixes bug 856.
|
||||
- Return circuit purposes in response to GETINFO circuit-status.
|
||||
Fixes bug 858.
|
||||
- Serve the latest v3 networkstatus consensus via the control
|
||||
port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
|
||||
- Add a "GETINFO /status/bootstrap-phase" controller option, so the
|
||||
controller can query our current bootstrap state in case it attaches
|
||||
partway through and wants to catch up.
|
||||
- Provide circuit purposes along with circuit events to the controller.
|
||||
|
||||
o Minor features (tools):
|
||||
- Do not have tor-resolve automatically refuse all .onion addresses;
|
||||
if AutomapHostsOnResolve is set in your torrc, this will work fine.
|
||||
- Add a -p option to tor-resolve for specifying the SOCKS port: some
|
||||
people find host:port too confusing.
|
||||
- Print the SOCKS5 error message string as well as the error code
|
||||
when a tor-resolve request fails. Patch from Jacob.
|
||||
|
||||
o Minor bugfixes (memory and resource management):
|
||||
- Clients no longer cache certificates for authorities they do not
|
||||
recognize. Bugfix on 0.2.0.9-alpha.
|
||||
- Do not use C's stdio library for writing to log files. This will
|
||||
improve logging performance by a minute amount, and will stop
|
||||
leaking fds when our disk is full. Fixes bug 861.
|
||||
- Stop erroneous use of O_APPEND in cases where we did not in fact
|
||||
want to re-seek to the end of a file before every last write().
|
||||
- Fix a small alignment and memory-wasting bug on buffer chunks.
|
||||
Spotted by rovv.
|
||||
- Add a malloc_good_size implementation to OpenBSD_malloc_linux.c,
|
||||
to avoid unused RAM in buffer chunks and memory pools.
|
||||
- Reduce the default smartlist size from 32 to 16; it turns out that
|
||||
most smartlists hold around 8-12 elements tops.
|
||||
- Make dumpstats() log the fullness and size of openssl-internal
|
||||
buffers.
|
||||
- If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
|
||||
patch to their OpenSSL, turn it on to save memory on servers. This
|
||||
patch will (with any luck) get included in a mainline distribution
|
||||
before too long.
|
||||
- Fix a memory leak when v3 directory authorities load their keys
|
||||
and cert from disk. Bugfix on 0.2.0.1-alpha.
|
||||
- Stop using malloc_usable_size() to use more area than we had
|
||||
actually allocated: it was safe, but made valgrind really unhappy.
|
||||
- Make the assert_circuit_ok() function work correctly on circuits that
|
||||
have already been marked for close.
|
||||
- Fix uninitialized size field for memory area allocation: may improve
|
||||
memory performance during directory parsing.
|
||||
|
||||
o Minor bugfixes (clients):
|
||||
- Stop reloading the router list from disk for no reason when we
|
||||
run out of reachable directory mirrors. Once upon a time reloading
|
||||
it would set the 'is_running' flag back to 1 for them. It hasn't
|
||||
done that for a long time.
|
||||
- When we had picked an exit node for a connection, but marked it as
|
||||
"optional", and it turned out we had no onion key for the exit,
|
||||
stop wanting that exit and try again. This situation may not
|
||||
be possible now, but will probably become feasible with proposal
|
||||
158. Spotted by rovv. Fixes another case of bug 752.
|
||||
- Fix a bug in address parsing that was preventing bridges or hidden
|
||||
service targets from being at IPv6 addresses.
|
||||
- Do not remove routers as too old if we do not have any consensus
|
||||
document. Bugfix on 0.2.0.7-alpha.
|
||||
- When an exit relay resolves a stream address to a local IP address,
|
||||
do not just keep retrying that same exit relay over and
|
||||
over. Instead, just close the stream. Addresses bug 872. Bugfix
|
||||
on 0.2.0.32. Patch from rovv.
|
||||
- Made Tor a little less aggressive about deleting expired
|
||||
certificates. Partial fix for bug 854.
|
||||
- Treat duplicate certificate fetches as failures, so that we do
|
||||
not try to re-fetch an expired certificate over and over and over.
|
||||
- Do not say we're fetching a certificate when we'll in fact skip it
|
||||
because of a pending download.
|
||||
- If we have correct permissions on $datadir, we complain to stdout
|
||||
and fail to start. But dangerous permissions on
|
||||
$datadir/cached-status/ would cause us to open a log and complain
|
||||
there. Now complain to stdout and fail to start in both cases. Fixes
|
||||
bug 820, reported by seeess.
|
||||
|
||||
o Minor bugfixes (bridges):
|
||||
- When we made bridge authorities stop serving bridge descriptors over
|
||||
unencrypted links, we also broke DirPort reachability testing for
|
||||
bridges. So bridges with a non-zero DirPort were printing spurious
|
||||
warns to their logs. Bugfix on 0.2.0.16-alpha. Fixes bug 709.
|
||||
- Don't allow a bridge to publish its router descriptor to a
|
||||
non-bridge directory authority. Fixes part of bug 932.
|
||||
- When we change to or from being a bridge, reset our counts of
|
||||
client usage by country. Fixes bug 932.
|
||||
|
||||
o Minor bugfixes (relays):
|
||||
- Log correct error messages for DNS-related network errors on
|
||||
Windows.
|
||||
- Actually return -1 in the error case for read_bandwidth_usage().
|
||||
Harmless bug, since we currently don't care about the return value
|
||||
anywhere. Bugfix on 0.2.0.9-alpha.
|
||||
- Provide a more useful log message if bug 977 (related to buffer
|
||||
freelists) ever reappears, and do not crash right away.
|
||||
- We were already rejecting relay begin cells with destination port
|
||||
of 0. Now also reject extend cells with destination port or address
|
||||
of 0. Suggested by lark.
|
||||
- When we can't transmit a DNS request due to a network error, retry
|
||||
it after a while, and eventually transmit a failing response to
|
||||
the RESOLVED cell. Bugfix on 0.1.2.5-alpha.
|
||||
- Solve a bug that kept hardware crypto acceleration from getting
|
||||
enabled when accounting was turned on. Fixes bug 907. Bugfix on
|
||||
0.0.9pre6.
|
||||
- When a canonical connection appears later in our internal list
|
||||
than a noncanonical one for a given OR ID, always use the
|
||||
canonical one. Bugfix on 0.2.0.12-alpha. Fixes bug 805.
|
||||
Spotted by rovv.
|
||||
- Avoid some nasty corner cases in the logic for marking connections
|
||||
as too old or obsolete or noncanonical for circuits. Partial
|
||||
bugfix on bug 891.
|
||||
- Fix another interesting corner-case of bug 891 spotted by rovv:
|
||||
Previously, if two hosts had different amounts of clock drift, and
|
||||
one of them created a new connection with just the wrong timing,
|
||||
the other might decide to deprecate the new connection erroneously.
|
||||
Bugfix on 0.1.1.13-alpha.
|
||||
- If one win32 nameserver fails to get added, continue adding the
|
||||
rest, and don't automatically fail.
|
||||
- Fix a bug where an unreachable relay would establish enough
|
||||
reachability testing circuits to do a bandwidth test -- if
|
||||
we already have a connection to the middle hop of the testing
|
||||
circuit, then it could establish the last hop by using the existing
|
||||
connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
|
||||
circuits no longer use entry guards in 0.2.1.3-alpha.
|
||||
|
||||
o Minor bugfixes (directory authorities):
|
||||
- Limit uploaded directory documents to be 16M rather than 500K.
|
||||
The directory authorities were refusing v3 consensus votes from
|
||||
other authorities, since the votes are now 504K. Fixes bug 959;
|
||||
bugfix on 0.0.2pre17 (where we raised it from 50K to 500K ;).
|
||||
- Directory authorities should never send a 503 "busy" response to
|
||||
requests for votes or keys. Bugfix on 0.2.0.8-alpha; exposed by
|
||||
bug 959.
|
||||
- Fix code so authorities _actually_ send back X-Descriptor-Not-New
|
||||
headers. Bugfix on 0.2.0.10-alpha.
|
||||
|
||||
o Minor bugfixes (hidden services):
|
||||
- When we can't find an intro key for a v2 hidden service descriptor,
|
||||
fall back to the v0 hidden service descriptor and log a bug message.
|
||||
Workaround for bug 1024.
|
||||
- In very rare situations new hidden service descriptors were
|
||||
published earlier than 30 seconds after the last change to the
|
||||
service. (We currently think that a hidden service descriptor
|
||||
that's been stable for 30 seconds is worth publishing.)
|
||||
- If a hidden service sends us an END cell, do not consider
|
||||
retrying the connection; just close it. Patch from rovv.
|
||||
- If we are not using BEGIN_DIR cells, don't attempt to contact hidden
|
||||
service directories if they have no advertised dir port. Bugfix
|
||||
on 0.2.0.10-alpha.
|
||||
|
||||
o Minor bugfixes (tools):
|
||||
- In the torify(1) manpage, mention that tsocks will leak your
|
||||
DNS requests.
|
||||
|
||||
o Minor bugfixes (controllers):
|
||||
- If the controller claimed responsibility for a stream, but that
|
||||
stream never finished making its connection, it would live
|
||||
forever in circuit_wait state. Now we close it after SocksTimeout
|
||||
seconds. Bugfix on 0.1.2.7-alpha; reported by Mike Perry.
|
||||
- Make DNS resolved controller events into "CLOSED", not
|
||||
"FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
|
||||
bug 807.
|
||||
- The control port would close the connection before flushing long
|
||||
replies, such as the network consensus, if a QUIT command was issued
|
||||
before the reply had completed. Now, the control port flushes all
|
||||
pending replies before closing the connection. Also fix a spurious
|
||||
warning when a QUIT command is issued after a malformed or rejected
|
||||
AUTHENTICATE command, but before the connection was closed. Patch
|
||||
by Marcus Griep. Fixes bugs 1015 and 1016.
|
||||
- Fix a bug that made stream bandwidth get misreported to the
|
||||
controller.
|
||||
|
||||
o Deprecated and removed features:
|
||||
- The old "tor --version --version" command, which would print out
|
||||
the subversion "Id" of most of the source files, is now removed. It
|
||||
turned out to be less useful than we'd expected, and harder to
|
||||
maintain.
|
||||
- RedirectExits has been removed. It was deprecated since
|
||||
0.2.0.3-alpha.
|
||||
- Finally remove deprecated "EXTENDED_FORMAT" controller feature. It
|
||||
has been called EXTENDED_EVENTS since 0.1.2.4-alpha.
|
||||
- Cell pools are now always enabled; --disable-cell-pools is ignored.
|
||||
- Directory mirrors no longer fetch the v1 directory or
|
||||
running-routers files. They are obsolete, and nobody asks for them
|
||||
anymore. This is the first step to making v1 authorities obsolete.
|
||||
- Take out the TestVia config option, since it was a workaround for
|
||||
a bug that was fixed in Tor 0.1.1.21.
|
||||
- Mark RendNodes, RendExcludeNodes, HiddenServiceNodes, and
|
||||
HiddenServiceExcludeNodes as obsolete: they never worked properly,
|
||||
and nobody seems to be using them. Fixes bug 754. Bugfix on
|
||||
0.1.0.1-rc. Patch from Christian Wilms.
|
||||
- Remove all backward-compatibility code for relays running
|
||||
versions of Tor so old that they no longer work at all on the
|
||||
Tor network.
|
||||
|
||||
o Code simplifications and refactoring:
|
||||
- Tool-assisted documentation cleanup. Nearly every function or
|
||||
static variable in Tor should have its own documentation now.
|
||||
- Rename the confusing or_is_obsolete field to the more appropriate
|
||||
is_bad_for_new_circs, and move it to or_connection_t where it
|
||||
belongs.
|
||||
- Move edge-only flags from connection_t to edge_connection_t: not
|
||||
only is this better coding, but on machines of plausible alignment,
|
||||
it should save 4-8 bytes per connection_t. "Every little bit helps."
|
||||
- Rename ServerDNSAllowBrokenResolvConf to ServerDNSAllowBrokenConfig
|
||||
for consistency; keep old option working for backward compatibility.
|
||||
- Simplify the code for finding connections to use for a circuit.
|
||||
- Revise the connection_new functions so that a more typesafe variant
|
||||
exists. This will work better with Coverity, and let us find any
|
||||
actual mistakes we're making here.
|
||||
- Refactor unit testing logic so that dmalloc can be used sensibly
|
||||
with unit tests to check for memory leaks.
|
||||
- Move all hidden-service related fields from connection and circuit
|
||||
structure to substructures: this way they won't eat so much memory.
|
||||
- Squeeze 2-5% out of client performance (according to oprofile) by
|
||||
improving the implementation of some policy-manipulation functions.
|
||||
- Change the implementation of ExcludeNodes and ExcludeExitNodes to
|
||||
be more efficient. Formerly it was quadratic in the number of
|
||||
servers; now it should be linear. Fixes bug 509.
|
||||
- Save 16-22 bytes per open circuit by moving the n_addr, n_port,
|
||||
and n_conn_id_digest fields into a separate structure that's
|
||||
only needed when the circuit has not yet attached to an n_conn.
|
||||
- Optimize out calls to time(NULL) that occur for every IO operation,
|
||||
or for every cell. On systems like Windows where time() is a
|
||||
slow syscall, this fix will be slightly helpful.
|
||||
|
||||
|
||||
Changes in version 0.2.0.35 - 2009-06-24
|
||||
o Security fix:
|
||||
- Avoid crashing in the presence of certain malformed descriptors.
|
||||
Found by lark, and by automated fuzzing.
|
||||
- Fix an edge case where a malicious exit relay could convince a
|
||||
controller that the client's DNS question resolves to an internal IP
|
||||
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
|
||||
|
||||
o Major bugfixes:
|
||||
- Finally fix the bug where dynamic-IP relays disappear when their
|
||||
IP address changes: directory mirrors were mistakenly telling
|
||||
them their old address if they asked via begin_dir, so they
|
||||
never got an accurate answer about their new address, so they
|
||||
just vanished after a day. For belt-and-suspenders, relays that
|
||||
don't set Address in their config now avoid using begin_dir for
|
||||
all direct connections. Should fix bugs 827, 883, and 900.
|
||||
- Fix a timing-dependent, allocator-dependent, DNS-related crash bug
|
||||
that would occur on some exit nodes when DNS failures and timeouts
|
||||
occurred in certain patterns. Fix for bug 957.
|
||||
|
||||
o Minor bugfixes:
|
||||
- When starting with a cache over a few days old, do not leak
|
||||
memory for the obsolete router descriptors in it. Bugfix on
|
||||
0.2.0.33; fixes bug 672.
|
||||
- Hidden service clients didn't use a cached service descriptor that
|
||||
was older than 15 minutes, but wouldn't fetch a new one either,
|
||||
because there was already one in the cache. Now, fetch a v2
|
||||
descriptor unless the same descriptor was added to the cache within
|
||||
the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
|
||||
|
||||
|
||||
Changes in version 0.2.0.34 - 2009-02-08
|
||||
Tor 0.2.0.34 features several more security-related fixes. You should
|
||||
upgrade, especially if you run an exit relay (remote crash) or a
|
||||
|
7
debian/changelog
vendored
7
debian/changelog
vendored
@ -1,3 +1,10 @@
|
||||
tor (0.2.1.17-rc-1) experimental; urgency=low
|
||||
|
||||
* New upstream version.
|
||||
* Update upstream URL in debian/copyright.
|
||||
|
||||
-- Peter Palfrader <weasel@debian.org> Mon, 13 Jul 2009 23:37:37 +0200
|
||||
|
||||
tor (0.2.1.16-rc-1) experimental; urgency=low
|
||||
|
||||
* New upstream version.
|
||||
|
2
debian/copyright
vendored
2
debian/copyright
vendored
@ -1,7 +1,7 @@
|
||||
This package was debianized by Peter Palfrader <weasel@debian.org> on
|
||||
Sat, 10 Jan 2004 11:20:06 +0100.
|
||||
|
||||
It was downloaded from http://tor.eff.org/
|
||||
It was downloaded from https://www.torproject.org/
|
||||
|
||||
Upstream Authors: Roger Dingledine <arma@freehaven.net>
|
||||
Nick Mathewson <nickm@freehaven.net>
|
||||
|
Loading…
Reference in New Issue
Block a user