mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
Copy the 0.4.6.5 changelog and releasenotes to main.
This commit is contained in:
parent
27c3254988
commit
e04831a0d2
59
ChangeLog
59
ChangeLog
@ -1,3 +1,62 @@
|
|||||||
|
Changes in version 0.4.6.5 - 2021-06-14
|
||||||
|
Tor 0.4.6.5 is the first stable release in its series. The 0.4.6.x
|
||||||
|
series includes numerous features and bugfixes, including a significant
|
||||||
|
improvement to our circuit timeout algorithm that should improve
|
||||||
|
observed client performance, and a way for relays to report when they are
|
||||||
|
overloaded.
|
||||||
|
|
||||||
|
This release also includes security fixes for several security issues,
|
||||||
|
including a denial-of-service attack against onion service clients,
|
||||||
|
and another denial-of-service attack against relays. Everybody should
|
||||||
|
upgrade to one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.
|
||||||
|
|
||||||
|
Below are the changes since 0.4.6.4-rc. For a complete list of changes
|
||||||
|
since 0.4.5.8, see the ReleaseNotes file.
|
||||||
|
|
||||||
|
o Major bugfixes (security):
|
||||||
|
- Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
|
||||||
|
half-closed streams. Previously, clients failed to validate which
|
||||||
|
hop sent these cells: this would allow a relay on a circuit to end
|
||||||
|
a stream that wasn't actually built with it. Fixes bug 40389;
|
||||||
|
bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
|
||||||
|
003 and CVE-2021-34548.
|
||||||
|
|
||||||
|
o Major bugfixes (security, defense-in-depth):
|
||||||
|
- Detect more failure conditions from the OpenSSL RNG code.
|
||||||
|
Previously, we would detect errors from a missing RNG
|
||||||
|
implementation, but not failures from the RNG code itself.
|
||||||
|
Fortunately, it appears those failures do not happen in practice
|
||||||
|
when Tor is using OpenSSL's default RNG implementation. Fixes bug
|
||||||
|
40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
|
||||||
|
TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
|
||||||
|
|
||||||
|
o Major bugfixes (security, denial of service):
|
||||||
|
- Resist a hashtable-based CPU denial-of-service attack against
|
||||||
|
relays. Previously we used a naive unkeyed hash function to look
|
||||||
|
up circuits in a circuitmux object. An attacker could exploit this
|
||||||
|
to construct circuits with chosen circuit IDs, to create
|
||||||
|
collisions and make the hash table inefficient. Now we use a
|
||||||
|
SipHash construction here instead. Fixes bug 40391; bugfix on
|
||||||
|
0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
|
||||||
|
CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
|
||||||
|
- Fix an out-of-bounds memory access in v3 onion service descriptor
|
||||||
|
parsing. An attacker could exploit this bug by crafting an onion
|
||||||
|
service descriptor that would crash any client that tried to visit
|
||||||
|
it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
|
||||||
|
tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
|
||||||
|
Glazunov from Google's Project Zero.
|
||||||
|
|
||||||
|
o Minor features (geoip data):
|
||||||
|
- Update the geoip files to match the IPFire Location Database, as
|
||||||
|
retrieved on 2021/06/10.
|
||||||
|
|
||||||
|
o Minor features (logging, diagnostic):
|
||||||
|
- Log decompression failures at a higher severity level, since they
|
||||||
|
can help provide missing context for other warning messages. We
|
||||||
|
rate-limit these messages, to avoid flooding the logs if they
|
||||||
|
begin to occur frequently. Closes ticket 40175.
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.4.6.4-rc - 2021-05-28
|
Changes in version 0.4.6.4-rc - 2021-05-28
|
||||||
Tor 0.4.6.4-rc fixes a few bugs from previous releases. This, we hope,
|
Tor 0.4.6.4-rc fixes a few bugs from previous releases. This, we hope,
|
||||||
the final release candidate in its series: unless major new issues are
|
the final release candidate in its series: unless major new issues are
|
||||||
|
310
ReleaseNotes
310
ReleaseNotes
@ -2,6 +2,316 @@ This document summarizes new features and bugfixes in each stable
|
|||||||
release of Tor. If you want to see more detailed descriptions of the
|
release of Tor. If you want to see more detailed descriptions of the
|
||||||
changes in each development snapshot, see the ChangeLog file.
|
changes in each development snapshot, see the ChangeLog file.
|
||||||
|
|
||||||
|
Changes in version 0.4.6.5 - 2021-06-14
|
||||||
|
Tor 0.4.6.5 is the first stable release in its series. The 0.4.6.x
|
||||||
|
series includes numerous features and bugfixes, including a significant
|
||||||
|
improvement to our circuit timeout algorithm that should improve
|
||||||
|
observed client performance, and a way for relays to report when they are
|
||||||
|
overloaded.
|
||||||
|
|
||||||
|
This release also includes security fixes for several security issues,
|
||||||
|
including a denial-of-service attack against onion service clients,
|
||||||
|
and another denial-of-service attack against relays. Everybody should
|
||||||
|
upgrade to one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.
|
||||||
|
|
||||||
|
Below are the changes since 0.4.5.8. For a list of changes since
|
||||||
|
0.4.6.4-rc, see the ChangeLog file.
|
||||||
|
|
||||||
|
o Major bugfixes (security):
|
||||||
|
- Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
|
||||||
|
half-closed streams. Previously, clients failed to validate which
|
||||||
|
hop sent these cells: this would allow a relay on a circuit to end
|
||||||
|
a stream that wasn't actually built with it. Fixes bug 40389;
|
||||||
|
bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
|
||||||
|
003 and CVE-2021-34548.
|
||||||
|
|
||||||
|
o Major bugfixes (security, defense-in-depth):
|
||||||
|
- Detect more failure conditions from the OpenSSL RNG code.
|
||||||
|
Previously, we would detect errors from a missing RNG
|
||||||
|
implementation, but not failures from the RNG code itself.
|
||||||
|
Fortunately, it appears those failures do not happen in practice
|
||||||
|
when Tor is using OpenSSL's default RNG implementation. Fixes bug
|
||||||
|
40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
|
||||||
|
TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
|
||||||
|
|
||||||
|
o Major bugfixes (security, denial of service):
|
||||||
|
- Resist a hashtable-based CPU denial-of-service attack against
|
||||||
|
relays. Previously we used a naive unkeyed hash function to look
|
||||||
|
up circuits in a circuitmux object. An attacker could exploit this
|
||||||
|
to construct circuits with chosen circuit IDs, to create
|
||||||
|
collisions and make the hash table inefficient. Now we use a
|
||||||
|
SipHash construction here instead. Fixes bug 40391; bugfix on
|
||||||
|
0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
|
||||||
|
CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
|
||||||
|
- Fix an out-of-bounds memory access in v3 onion service descriptor
|
||||||
|
parsing. An attacker could exploit this bug by crafting an onion
|
||||||
|
service descriptor that would crash any client that tried to visit
|
||||||
|
it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
|
||||||
|
tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
|
||||||
|
Glazunov from Google's Project Zero.
|
||||||
|
|
||||||
|
o Major features (control port, onion services):
|
||||||
|
- Add controller support for creating version 3 onion services with
|
||||||
|
client authorization. Previously, only v2 onion services could be
|
||||||
|
created with client authorization. Closes ticket 40084. Patch by
|
||||||
|
Neel Chauhan.
|
||||||
|
|
||||||
|
o Major features (directory authority):
|
||||||
|
- When voting on a relay with a Sybil-like appearance, add the Sybil
|
||||||
|
flag when clearing out the other flags. This lets a relay operator
|
||||||
|
know why their relay hasn't been included in the consensus. Closes
|
||||||
|
ticket 40255. Patch by Neel Chauhan.
|
||||||
|
|
||||||
|
o Major features (metrics):
|
||||||
|
- Relays now report how overloaded they are in their extrainfo
|
||||||
|
documents. This information is controlled with the
|
||||||
|
OverloadStatistics torrc option, and it will be used to improve
|
||||||
|
decisions about the network's load balancing. Implements proposal
|
||||||
|
328; closes ticket 40222.
|
||||||
|
|
||||||
|
o Major features (relay, denial of service):
|
||||||
|
- Add a new DoS subsystem feature to control the rate of client
|
||||||
|
connections for relays. Closes ticket 40253.
|
||||||
|
|
||||||
|
o Major features (statistics):
|
||||||
|
- Relays now publish statistics about the number of v3 onion
|
||||||
|
services and volume of v3 onion service traffic, in the same
|
||||||
|
manner they already do for v2 onions. Closes ticket 23126.
|
||||||
|
|
||||||
|
o Major bugfixes (circuit build timeout):
|
||||||
|
- Improve the accuracy of our circuit build timeout calculation for
|
||||||
|
60%, 70%, and 80% build rates for various guard choices. We now
|
||||||
|
use a maximum likelihood estimator for Pareto parameters of the
|
||||||
|
circuit build time distribution, instead of a "right-censored
|
||||||
|
estimator". This causes clients to ignore circuits that never
|
||||||
|
finish building in their timeout calculations. Previously, clients
|
||||||
|
were counting such unfinished circuits as having the highest
|
||||||
|
possible build time value, when in reality these circuits most
|
||||||
|
likely just contain relays that are offline. We also now wait a
|
||||||
|
bit longer to let circuits complete for measurement purposes,
|
||||||
|
lower the minimum possible effective timeout from 1.5 seconds to
|
||||||
|
10ms, and increase the resolution of the circuit build time
|
||||||
|
histogram from 50ms bin widths to 10ms bin widths. Additionally,
|
||||||
|
we alter our estimate Xm by taking the maximum of the top 10 most
|
||||||
|
common build time values of the 10ms histogram, and compute Xm as
|
||||||
|
the average of these. Fixes bug 40168; bugfix on 0.2.2.14-alpha.
|
||||||
|
- Remove max_time calculation and associated warning from circuit
|
||||||
|
build timeout 'alpha' parameter estimation, as this is no longer
|
||||||
|
needed by our new estimator from 40168. Fixes bug 34088; bugfix
|
||||||
|
on 0.2.2.9-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (signing key):
|
||||||
|
- In the tor-gencert utility, give an informative error message if
|
||||||
|
the passphrase given in `--create-identity-key` is too short.
|
||||||
|
Fixes bug 40189; bugfix on 0.2.0.1-alpha. Patch by Neel Chauhan.
|
||||||
|
|
||||||
|
o Minor features (bridge):
|
||||||
|
- We now announce the URL to Tor's new bridge status at
|
||||||
|
https://bridges.torproject.org/ when Tor is configured to run as a
|
||||||
|
bridge relay. Closes ticket 30477.
|
||||||
|
|
||||||
|
o Minor features (build system):
|
||||||
|
- New "make lsp" command to auto generate the compile_commands.json
|
||||||
|
file used by the ccls server. The "bear" program is needed for
|
||||||
|
this. Closes ticket 40227.
|
||||||
|
|
||||||
|
o Minor features (client):
|
||||||
|
- Clients now check whether their streams are attempting to re-enter
|
||||||
|
the Tor network (i.e. to send Tor traffic over Tor), and close
|
||||||
|
them preemptively if they think exit relays will refuse them for
|
||||||
|
this reason. See ticket 2667 for details. Closes ticket 40271.
|
||||||
|
|
||||||
|
o Minor features (command line):
|
||||||
|
- Add long format name "--torrc-file" equivalent to the existing
|
||||||
|
command-line option "-f". Closes ticket 40324. Patch by
|
||||||
|
Daniel Pinto.
|
||||||
|
|
||||||
|
o Minor features (command-line interface):
|
||||||
|
- Add build informations to `tor --version` in order to ease
|
||||||
|
reproducible builds. Closes ticket 32102.
|
||||||
|
- When parsing command-line flags that take an optional argument,
|
||||||
|
treat the argument as absent if it would start with a '-'
|
||||||
|
character. Arguments in that form are not intelligible for any of
|
||||||
|
our optional-argument flags. Closes ticket 40223.
|
||||||
|
- Allow a relay operator to list the ed25519 keys on the command
|
||||||
|
line by adding the `rsa` and `ed25519` arguments to the
|
||||||
|
--list-fingerprint flag to show the respective RSA and ed25519
|
||||||
|
relay fingerprint. Closes ticket 33632. Patch by Neel Chauhan.
|
||||||
|
|
||||||
|
o Minor features (compatibility):
|
||||||
|
- Remove an assertion function related to TLS renegotiation. It was
|
||||||
|
used nowhere outside the unit tests, and it was breaking
|
||||||
|
compilation with recent alpha releases of OpenSSL 3.0.0. Closes
|
||||||
|
ticket 40399.
|
||||||
|
|
||||||
|
o Minor features (control port, stream handling):
|
||||||
|
- Add the stream ID to the event line in the ADDRMAP control event.
|
||||||
|
Closes ticket 40249. Patch by Neel Chauhan.
|
||||||
|
|
||||||
|
o Minor features (dormant mode):
|
||||||
|
- Add a new 'DormantTimeoutEnabled' option to allow coarse-grained
|
||||||
|
control over whether the client ever becomes dormant from
|
||||||
|
inactivity. Most people won't need this. Closes ticket 40228.
|
||||||
|
- Add a new 'DormantTimeoutEnabled' option for coarse-grained
|
||||||
|
control over whether the client can become dormant from
|
||||||
|
inactivity. Most people won't need this. Closes ticket 40228.
|
||||||
|
|
||||||
|
o Minor features (geoip data):
|
||||||
|
- Update the geoip files to match the IPFire Location Database, as
|
||||||
|
retrieved on 2021/06/10.
|
||||||
|
|
||||||
|
o Minor features (logging):
|
||||||
|
- Edit heartbeat log messages so that more of them begin with the
|
||||||
|
string "Heartbeat: ". Closes ticket 40322; patch
|
||||||
|
from 'cypherpunks'.
|
||||||
|
- Change the DoS subsystem heartbeat line format to be more clear on
|
||||||
|
what has been detected/rejected, and which option is disabled (if
|
||||||
|
any). Closes ticket 40308.
|
||||||
|
- In src/core/mainloop/mainloop.c and src/core/mainloop/connection.c,
|
||||||
|
put brackets around IPv6 addresses in log messages. Closes ticket
|
||||||
|
40232. Patch by Neel Chauhan.
|
||||||
|
|
||||||
|
o Minor features (logging, diagnostic):
|
||||||
|
- Log decompression failures at a higher severity level, since they
|
||||||
|
can help provide missing context for other warning messages. We
|
||||||
|
rate-limit these messages, to avoid flooding the logs if they
|
||||||
|
begin to occur frequently. Closes ticket 40175.
|
||||||
|
|
||||||
|
o Minor features (onion services):
|
||||||
|
- Add a warning message when trying to connect to (no longer
|
||||||
|
supported) v2 onion services. Closes ticket 40373.
|
||||||
|
|
||||||
|
o Minor features (performance, windows):
|
||||||
|
- Use SRWLocks to implement locking on Windows. Replaces the
|
||||||
|
"critical section" locking implementation with the faster
|
||||||
|
SRWLocks, available since Windows Vista. Closes ticket 17927.
|
||||||
|
Patch by Daniel Pinto.
|
||||||
|
|
||||||
|
o Minor features (protocol, proxy support, defense in depth):
|
||||||
|
- Close HAProxy connections if they somehow manage to send us data
|
||||||
|
before we start reading. Closes another case of ticket 40017.
|
||||||
|
|
||||||
|
o Minor features (tests, portability):
|
||||||
|
- Port the hs_build_address.py test script to work with recent
|
||||||
|
versions of python. Closes ticket 40213. Patch from
|
||||||
|
Samanta Navarro.
|
||||||
|
|
||||||
|
o Minor features (vote document):
|
||||||
|
- Add a "stats" line to directory authority votes, to report various
|
||||||
|
statistics that authorities compute about the relays. This will
|
||||||
|
help us diagnose the network better. Closes ticket 40314.
|
||||||
|
|
||||||
|
o Minor bugfixes (build):
|
||||||
|
- The configure script now shows whether or not lzma and zstd have
|
||||||
|
been used, not just if the enable flag was passed in. Fixes bug
|
||||||
|
40236; bugfix on 0.4.3.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (compatibility):
|
||||||
|
- Fix a failure in the test cases when running on the "hppa"
|
||||||
|
architecture, along with a related test that might fail on other
|
||||||
|
architectures in the future. Fixes bug 40274; bugfix
|
||||||
|
on 0.2.5.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (compilation):
|
||||||
|
- Fix a compilation warning about unused functions when building
|
||||||
|
with a libc that lacks the GLOB_ALTDIRFUNC constant. Fixes bug
|
||||||
|
40354; bugfix on 0.4.5.1-alpha. Patch by Daniel Pinto.
|
||||||
|
|
||||||
|
o Minor bugfixes (consensus handling):
|
||||||
|
- Avoid a set of bugs that could be caused by inconsistently
|
||||||
|
preferring an out-of-date consensus stored in a stale directory
|
||||||
|
cache over a more recent one stored on disk as the latest
|
||||||
|
consensus. Fixes bug 40375; bugfix on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (control, sandbox):
|
||||||
|
- Allow the control command SAVECONF to succeed when the seccomp
|
||||||
|
sandbox is enabled, and make SAVECONF keep only one backup file to
|
||||||
|
simplify implementation. Previously SAVECONF allowed a large
|
||||||
|
number of backup files, which made it incompatible with the
|
||||||
|
sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by
|
||||||
|
Daniel Pinto.
|
||||||
|
|
||||||
|
o Minor bugfixes (directory authorities, voting):
|
||||||
|
- Add a new consensus method (31) to support any future changes that
|
||||||
|
authorities decide to make to the value of bwweightscale or
|
||||||
|
maxunmeasuredbw. Previously, there was a bug that prevented the
|
||||||
|
authorities from parsing these consensus parameters correctly under
|
||||||
|
most circumstances. Fixes bug 19011; bugfix on 0.2.2.10-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (ipv6):
|
||||||
|
- Allow non-SOCKSPorts to disable IPv4, IPv6, and PreferIPv4. Some
|
||||||
|
rare configurations might break, but in this case you can disable
|
||||||
|
NoIPv4Traffic and NoIPv6Traffic as needed. Fixes bug 33607; bugfix
|
||||||
|
on 0.4.1.1-alpha. Patch by Neel Chauhan.
|
||||||
|
|
||||||
|
o Minor bugfixes (key generation):
|
||||||
|
- Do not require a valid torrc when using the `--keygen` argument to
|
||||||
|
generate a signing key. This allows us to generate keys on systems
|
||||||
|
or users which may not run Tor. Fixes bug 40235; bugfix on
|
||||||
|
0.2.7.2-alpha. Patch by Neel Chauhan.
|
||||||
|
|
||||||
|
o Minor bugfixes (logging, relay):
|
||||||
|
- Emit a warning if an Address is found to be internal and tor can't
|
||||||
|
use it. Fixes bug 40290; bugfix on 0.4.5.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (metrics port):
|
||||||
|
- Fix a bug that made tor try to re-bind() on an already open
|
||||||
|
MetricsPort every 60 seconds. Fixes bug 40370; bugfix
|
||||||
|
on 0.4.5.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (onion services, logging):
|
||||||
|
- Downgrade the severity of a few rendezvous circuit-related
|
||||||
|
warnings from warning to info. Fixes bug 40207; bugfix on
|
||||||
|
0.3.2.1-alpha. Patch by Neel Chauhan.
|
||||||
|
|
||||||
|
o Minor bugfixes (relay):
|
||||||
|
- Reduce the compression level for data streaming from HIGH to LOW.
|
||||||
|
This should reduce the CPU and memory burden for directory caches.
|
||||||
|
Fixes bug 40301; bugfix on 0.3.5.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (testing, BSD):
|
||||||
|
- Fix pattern-matching errors when patterns expand to invalid paths
|
||||||
|
on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by
|
||||||
|
Daniel Pinto.
|
||||||
|
|
||||||
|
o Code simplification and refactoring:
|
||||||
|
- Remove the orconn_ext_or_id_map structure and related functions.
|
||||||
|
(Nothing outside of unit tests used them.) Closes ticket 33383.
|
||||||
|
Patch by Neel Chauhan.
|
||||||
|
|
||||||
|
o Removed features:
|
||||||
|
- Remove unneeded code for parsing private keys in directory
|
||||||
|
documents. This code was only used for client authentication in v2
|
||||||
|
onion services, which are now unsupported. Closes ticket 40374.
|
||||||
|
- As of this release, Tor no longer supports the old v2 onion
|
||||||
|
services. They were deprecated last July for security, and support
|
||||||
|
will be removed entirely later this year. We strongly encourage
|
||||||
|
everybody to migrate to v3 onion services. For more information,
|
||||||
|
see https://blog.torproject.org/v2-deprecation-timeline . Closes
|
||||||
|
ticket 40266. (NOTE: We accidentally released an earlier version
|
||||||
|
of the 0.4.6.1-alpha changelog without this entry. Sorry for
|
||||||
|
the confusion!)
|
||||||
|
|
||||||
|
o Code simplification and refactoring (metrics, DoS):
|
||||||
|
- Move the DoS subsystem into the subsys manager, including its
|
||||||
|
configuration options. Closes ticket 40261.
|
||||||
|
|
||||||
|
o Documentation (manual):
|
||||||
|
- Move the ServerTransport* options to the "SERVER OPTIONS" section.
|
||||||
|
Closes issue 40331.
|
||||||
|
- Indicate that the HiddenServiceStatistics option also applies to
|
||||||
|
bridges. Closes ticket 40346.
|
||||||
|
- Move the description of BridgeRecordUsageByCountry to the section
|
||||||
|
"STATISTICS OPTIONS". Closes ticket 40323.
|
||||||
|
|
||||||
|
o Removed features (relay):
|
||||||
|
- Because DirPorts are only used on authorities, relays no longer
|
||||||
|
advertise them. Similarly, self-testing for DirPorts has been
|
||||||
|
disabled, since an unreachable DirPort is no reason for a relay
|
||||||
|
not to advertise itself. (Configuring a DirPort will still work,
|
||||||
|
for now.) Closes ticket 40282.
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.4.5.8 - 2021-05-10
|
Changes in version 0.4.5.8 - 2021-05-10
|
||||||
Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes
|
Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes
|
||||||
from the 0.4.6.x series.
|
from the 0.4.6.x series.
|
||||||
|
Loading…
Reference in New Issue
Block a user