o Security fixes: - Don't send TLS certificate chains on outgoing OR connections from clients and bridges. Previously, each client or bridge would use a single cert chain for all outgoing OR connections for up to 24 hours, which allowed any relay connected to by a client or bridge to determine which entry guards it is using. This is a potential user-tracing bug for *all* users; everyone who uses Tor's client or hidden service functionality should upgrade. Fixes CVE-2011-2768. Bugfix on FIXME; found by frosty_un. - Don't use any OR connection on which we have received a CREATE_FAST cell to satisfy an EXTEND request. Previously, we would not consider whether a connection appears to be from a client or bridge when deciding whether to use that connection to satisfy an EXTEND request. Mitigates CVE-2011-2768, by preventing an attacker from determining whether an unpatched client is connected to a patched relay. Bugfix on FIXME; found by frosty_un.