-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello, all!
This is a slightly belated announcement for the release of 0.2.4.22.
I'm including the release notes for Tor 0.2.4.20 and Tor 0.2.4.21 as
well, since apparently they never made it onto this list.
I've enlisted help from Colin to make sure that future stable
release announcements make it to this list in a more timely manner
(ideally, as soon as packages are built). TorBrowser releases will
typically lag a little, as they follow their own release schedule.
(Alpha releases will still be announced on tor-talk only.)
Changes in version 0.2.4.22 - 2014-05-16
Tor 0.2.4.22 backports numerous high-priority fixes from the Tor 0.2.5
alpha release series. These include blocking all authority signing
keys that may have been affected by the OpenSSL "heartbleed" bug,
choosing a far more secure set of TLS ciphersuites by default, closing
a couple of memory leaks that could be used to run a target relay out
of RAM, and several others.
o Major features (security, backport from 0.2.5.4-alpha):
- Block authority signing keys that were used on authorities
vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We
don't have any evidence that these keys _were_ compromised; we're
doing this to be prudent.) Resolves ticket 11464.
o Major bugfixes (security, OOM):
- Fix a memory leak that could occur if a microdescriptor parse
fails during the tokenizing step. This bug could enable a memory
exhaustion attack by directory servers. Fixes bug 11649; bugfix
on 0.2.2.6-alpha.
o Major bugfixes (TLS cipher selection, backport from 0.2.5.4-alpha):
- The relay ciphersuite list is now generated automatically based on
uniform criteria, and includes all OpenSSL ciphersuites with
acceptable strength and forward secrecy. Previously, we had left
some perfectly fine ciphersuites unsupported due to omission or
typo. Resolves bugs 11513, 11492, 11498, 11499. Bugs reported by
'cypherpunks'. Bugfix on 0.2.4.8-alpha.
- Relays now trust themselves to have a better view than clients of
which TLS ciphersuites are better than others. (Thanks to bug
11513, the relay list is now well-considered, whereas the client
list has been chosen mainly for anti-fingerprinting purposes.)
Relays prefer: AES over 3DES; then ECDHE over DHE; then GCM over
CBC; then SHA384 over SHA256 over SHA1; and last, AES256 over
AES128. Resolves ticket 11528.
- Clients now try to advertise the same list of ciphersuites as
Firefox 28. This change enables selection of (fast) GCM
ciphersuites, disables some strange old ciphers, and stops
advertising the ECDH (not to be confused with ECDHE) ciphersuites.
Resolves ticket 11438.
o Minor bugfixes (configuration, security):
- When running a hidden service, do not allow TunneledDirConns 0:
trying to set that option together with a hidden service would
otherwise prevent the hidden service from running, and also make
it publish its descriptors directly over HTTP. Fixes bug 10849;
bugfix on 0.2.1.1-alpha.
o Minor bugfixes (controller, backport from 0.2.5.4-alpha):
- Avoid sending a garbage value to the controller when a circuit is
cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha.
o Minor bugfixes (exit relay, backport from 0.2.5.4-alpha):
- Stop leaking memory when we successfully resolve a PTR record.
Fixes bug 11437; bugfix on 0.2.4.7-alpha.
o Minor bugfixes (bridge client, backport from 0.2.5.4-alpha):
- Avoid 60-second delays in the bootstrapping process when Tor is
launching for a second time while using bridges. Fixes bug 9229;
bugfix on 0.2.0.3-alpha.
o Minor bugfixes (relays and bridges, backport from 0.2.5.4-alpha):
- Give the correct URL in the warning message when trying to run a
relay on an ancient version of Windows. Fixes bug 9393.
o Minor bugfixes (compilation):
- Fix a compilation error when compiling with --disable-curve25519.
Fixes bug 9700; bugfix on 0.2.4.17-rc.
o Minor bugfixes:
- Downgrade the warning severity for the the "md was still
referenced 1 node(s)" warning. Tor 0.2.5.4-alpha has better code
for trying to diagnose this bug, and the current warning in
earlier versions of tor achieves nothing useful. Addresses warning
from bug 7164.
o Minor features (log verbosity, backport from 0.2.5.4-alpha):
- When we run out of usable circuit IDs on a channel, log only one
warning for the whole channel, and describe how many circuits
there were on the channel. Fixes part of ticket 11553.
o Minor features (security, backport from 0.2.5.4-alpha):
- Decrease the lower limit of MaxMemInCellQueues to 256 MBytes (but
leave the default at 8GBytes), to better support Raspberry Pi
users. Fixes bug 9686; bugfix on 0.2.4.14-alpha.
o Documentation (backport from 0.2.5.4-alpha):
- Correctly document that we search for a system torrc file before
looking in ~/.torrc. Fixes documentation side of 9213; bugfix on
0.2.3.18-rc.
Changes in version 0.2.4.21 - 2014-02-28
Tor 0.2.4.21 further improves security against potential adversaries who
find breaking 1024-bit crypto doable, and backports several stability
and robustness patches from the 0.2.5 branch.
o Major features (client security):
- When we choose a path for a 3-hop circuit, make sure it contains
at least one relay that supports the NTor circuit extension
handshake. Otherwise, there is a chance that we're building
a circuit that's worth attacking by an adversary who finds
breaking 1024-bit crypto doable, and that chance changes the game
theory. Implements ticket 9777.
o Major bugfixes:
- Do not treat streams that fail with reason
END_STREAM_REASON_INTERNAL as indicating a definite circuit failure,
since it could also indicate an ENETUNREACH connection error. Fixes
part of bug 10777; bugfix on 0.2.4.8-alpha.
o Code simplification and refactoring:
- Remove data structures which were introduced to implement the
CellStatistics option: they are now redundant with the new timestamp
field in the regular packed_cell_t data structure, which we did
in 0.2.4.18-rc in order to resolve bug 9093. Resolves ticket 10870.
o Minor features:
- Always clear OpenSSL bignums before freeing them -- even bignums
that don't contain secrets. Resolves ticket 10793. Patch by
Florent Daigniere.
- Build without warnings under clang 3.4. (We have some macros that
define static functions only some of which will get used later in
the module. Starting with clang 3.4, these give a warning unless the
unused attribute is set on them.) Resolves ticket 10904.
- Update geoip and geoip6 files to the February 7 2014 Maxmind
GeoLite2 Country database.
o Minor bugfixes:
- Set the listen() backlog limit to the largest actually supported
on the system, not to the value in a header file. Fixes bug 9716;
bugfix on every released Tor.
- Treat ENETUNREACH, EACCES, and EPERM connection failures at an
exit node as a NOROUTE error, not an INTERNAL error, since they
can apparently happen when trying to connect to the wrong sort
of netblocks. Fixes part of bug 10777; bugfix on 0.1.0.1-rc.
- Fix build warnings about missing "a2x" comment when building the
manpages from scratch on OpenBSD; OpenBSD calls it "a2x.py".
Fixes bug 10929; bugfix on 0.2.2.9-alpha. Patch from Dana Koch.
- Avoid a segfault on SIGUSR1, where we had freed a connection but did
not entirely remove it from the connection lists. Fixes bug 9602;
bugfix on 0.2.4.4-alpha.
- Fix a segmentation fault in our benchmark code when running with
Fedora's OpenSSL package, or any other OpenSSL that provides
ECDH but not P224. Fixes bug 10835; bugfix on 0.2.4.8-alpha.
- Turn "circuit handshake stats since last time" log messages into a
heartbeat message. Fixes bug 10485; bugfix on 0.2.4.17-rc.
o Documentation fixes:
- Document that all but one DirPort entry must have the NoAdvertise
flag set. Fixes bug 10470; bugfix on 0.2.3.3-alpha / 0.2.3.16-alpha.
Changes in version 0.2.4.20 - 2013-12-22
Tor 0.2.4.20 fixes potentially poor random number generation for users
who 1) use OpenSSL 1.0.0 or later, 2) set "HardwareAccel 1" in their
torrc file, 3) have "Sandy Bridge" or "Ivy Bridge" Intel processors,
and 4) have no state file in their DataDirectory (as would happen on
first start). Users who generated relay or hidden service identity
keys in such a situation should discard them and generate new ones.
This release also fixes a logic error that caused Tor clients to build
many more preemptive circuits than they actually need.
o Major bugfixes:
- Do not allow OpenSSL engines to replace the PRNG, even when
HardwareAccel is set. The only default builtin PRNG engine uses
the Intel RDRAND instruction to replace the entire PRNG, and
ignores all attempts to seed it with more entropy. That's
cryptographically stupid: the right response to a new alleged
entropy source is never to discard all previously used entropy
sources. Fixes bug 10402; works around behavior introduced in
OpenSSL 1.0.0. Diagnosis and investigation thanks to "coderman"
and "rl1987".
- Fix assertion failure when AutomapHostsOnResolve yields an IPv6
address. Fixes bug 10465; bugfix on 0.2.4.7-alpha.
- Avoid launching spurious extra circuits when a stream is pending.
This fixes a bug where any circuit that _wasn't_ unusable for new
streams would be treated as if it were, causing extra circuits to
be launched. Fixes bug 10456; bugfix on 0.2.4.12-alpha.
o Minor bugfixes:
- Avoid a crash bug when starting with a corrupted microdescriptor
cache file. Fixes bug 10406; bugfix on 0.2.2.6-alpha.
- If we fail to dump a previously cached microdescriptor to disk, avoid
freeing duplicate data later on. Fixes bug 10423; bugfix on
0.2.4.13-alpha. Spotted by "bobnomnom".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGVAwUBU45IaJEDl9iNKTGaAQKCvAv8CFVTBvwsHap8IpBT48S/sdybN0uL8L7N
1axQbgAbuTyyyskZaOTv/pp/4FvvOJ0ulCZfyrsXV7jQhsUNm1Ri9phWob2/sEpx
6Io9AVxw9W16mzduqlmxkdiVmvQNN17XTuPaYcjBtN2bbDGyrG6XtYjo03Lu3HUV
xgKuaJR7eiked8G44slbccz80V1zmKq75YD4gFJgyBBNoS/0tmjh2zmjaE+7TeBq
jEJyedFPVhhGHWg2PruDLeSgfKTIwA8KtJwAmJ7JwKNSX4LTFGz7MZrX77QdnZ3D
FRDUuvGMVq6p5QGfsx59B9Uc6o8ox6UfnXYEqtzP9fDKPRvFNU7FqSV7Siu54Bk6
f/aY00IC05etz4X6t2NOtSCKAu7/Abd7zbYRLaW/v67/r6iaR6r/LVAILgJZA8jw
acZGBaVov4ta/5sJcWLx/6iCD1VxtGkgk6TH399b1EGn9SFO4Exp5sGMLc4qiLEk
3hP+/YEYNx+yDz1IkupuwZDHa4iQtefh
=du7v
-----END PGP SIGNATURE-----
