tor-announce
Threads by month
- ----- 2025 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- 294 discussions
Tor Browser 9.0.4 is now available from the Tor Browser download page [1]
and also from our distribution directory [2].
1: https://www.torproject.org/download/
2: https://www.torproject.org/dist/torbrowser/9.0.4/
This release fixes a critical security issue in Firefox [3]:
CVE-2019-17026.
3: https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
Note: There was no email sent on this list for version 9.0.3, which was
released just before 9.0.4. You can find the announce for 9.0.3 on our
blog [4].
4: https://blog.torproject.org/new-release-tor-browser-903
The full changelog since Tor Browser 9.0.3 is:
* All Platforms
* Update Firefox to 68.4.1esr
1
0
Hello, everyone!
(If you are about to reply saying "please take me off this list",
instead please follow these instructions:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/
. If you have trouble, it is probably because you subscribed using a
different address than the one you are trying to unsubscribe with. You
will have to enter the actual email address you used when you
subscribed.)
Along with 0.4.2.5, which also comes out today, we're releasing
updates to several of our old series, including the LTS (long-term
support) series 0.3.5.x.
The new releases are 0.4.1.7, 0.4.0.6, and 0.3.5.9 . Source code is
available at https://dist.torproject.org/ .
Note that 0.2.9.x will no longer be supported as of January 1, 2020,
and 0.4.0.x will no longer be supported after February 1, 2020. If
you are running one of those versions, you should make a plan to
upgrade. For more information on our supported release calendar, see
https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTor…
.
Changes in version 0.4.1.7 - 2019-12-09
This release backports several bugfixes to improve stability and
correctness. Anyone experiencing build problems or crashes with 0.4.1.6,
including all relays relying on AccountingMax, should upgrade.
o Major features (directory authorities, backport from 0.4.2.2-alpha):
- Directory authorities now reject relays running all currently
deprecated release series. The currently supported release series
are: 0.2.9, 0.3.5, 0.4.0, 0.4.1, and 0.4.2. Closes ticket 31549.
o Major bugfixes (embedded Tor, backport from 0.4.2.2-alpha):
- Avoid a possible crash when restarting Tor in embedded mode and
enabling a different set of publish/subscribe messages. Fixes bug
31898; bugfix on 0.4.1.1-alpha.
o Major bugfixes (relay, backport from 0.4.2.3-alpha):
- Relays now respect their AccountingMax bandwidth again. When
relays entered "soft" hibernation (which typically starts when
we've hit 90% of our AccountingMax), we had stopped checking
whether we should enter hard hibernation. Soft hibernation refuses
new connections and new circuits, but the existing circuits can
continue, meaning that relays could have exceeded their configured
AccountingMax. Fixes bug 32108; bugfix on 0.4.0.1-alpha.
o Major bugfixes (torrc parsing, backport from 0.4.2.2-alpha):
- Stop ignoring torrc options after an %include directive, when the
included directory ends with a file that does not contain any
config options (but does contain comments or whitespace). Fixes
bug 31408; bugfix on 0.3.1.1-alpha.
o Major bugfixes (v3 onion services, backport from 0.4.2.3-alpha):
- Onion services now always use the exact number of intro points
configured with the HiddenServiceNumIntroductionPoints option (or
fewer if nodes are excluded). Before, a service could sometimes
pick more intro points than configured. Fixes bug 31548; bugfix
on 0.3.2.1-alpha.
o Minor features (continuous integration, backport from 0.4.2.2-alpha):
- When building on Appveyor and Travis, pass the "-k" flag to make,
so that we are informed of all compilation failures, not just the
first one or two. Closes ticket 31372.
o Minor features (geoip, backport from 0.4.2.5):
- Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2
Country database. Closes ticket 32685.
o Minor bugfixes (Appveyor CI, backport from 0.4.2.2-alpha):
- Avoid spurious errors when Appveyor CI fails before the install step.
Fixes bug 31884; bugfix on 0.3.4.2-alpha.
o Minor bugfixes (client, onion service v3, backport from 0.4.2.4-rc):
- Fix a BUG() assertion that occurs within a very small race window
between when a client intro circuit opens and when its descriptor
gets cleaned up from the cache. The circuit is now closed early,
which will trigger a re-fetch of the descriptor and continue the
connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (connections, backport from 0.4.2.3-rc):
- Avoid trying to read data from closed connections, which can cause
needless loops in Libevent and infinite loops in Shadow. Fixes bug
30344; bugfix on 0.1.1.1-alpha.
o Minor bugfixes (error handling, backport from 0.4.2.1-alpha):
- On abort, try harder to flush the output buffers of log messages.
On some platforms (macOS), log messages could be discarded when
the process terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
- Report the tor version whenever an assertion fails. Previously, we
only reported the Tor version on some crashes, and some non-fatal
assertions. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
- When tor aborts due to an error, close log file descriptors before
aborting. Closing the logs makes some OSes flush log file buffers,
rather than deleting buffered log lines. Fixes bug 31594; bugfix
on 0.2.5.2-alpha.
o Minor bugfixes (logging, backport from 0.4.2.2-alpha):
- Add a missing check for HAVE_PTHREAD_H, because the backtrace code
uses mutexes. Fixes bug 31614; bugfix on 0.2.5.2-alpha.
- Disable backtrace signal handlers when shutting down tor. Fixes
bug 31614; bugfix on 0.2.5.2-alpha.
- Rate-limit our the logging message about the obsolete .exit
notation. Previously, there was no limit on this warning, which
could potentially be triggered many times by a hostile website.
Fixes bug 31466; bugfix on 0.2.2.1-alpha.
o Minor bugfixes (logging, protocol violations, backport from 0.4.2.2-alpha):
- Do not log a nonfatal assertion failure when receiving a VERSIONS
cell on a connection using the obsolete v1 link protocol. Log a
protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (mainloop, periodic events, in-process API,
backport from 0.4.2.3-alpha):
- Reset the periodic events' "enabled" flag when Tor is shut down
cleanly. Previously, this flag was left on, which caused periodic
events not to be re-enabled when Tor was relaunched in-process
with tor_api.h after a shutdown. Fixes bug 32058; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (multithreading, backport from 0.4.2.2-alpha):
- Avoid some undefined behaviour when freeing mutexes. Fixes bug
31736; bugfix on 0.0.7.
o Minor bugfixes (process management, backport from 0.4.2.3-alpha):
- Remove overly strict assertions that triggered when a pluggable
transport failed to launch. Fixes bug 31091; bugfix
on 0.4.0.1-alpha.
- Remove an assertion in the Unix process backend. This assertion
would trigger when we failed to find the executable for a child
process. Fixes bug 31810; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (relay, backport from 0.4.2.2-alpha):
- Avoid crashing when starting with a corrupt keys directory where
the old ntor key and the new ntor key are identical. Fixes bug
30916; bugfix on 0.2.4.8-alpha.
o Minor bugfixes (testing, backport from 0.4.2.3-alpha):
- When testing port rebinding, don't busy-wait for tor to log.
Instead, actually sleep for a short time before polling again.
Also improve the formatting of control commands and log messages.
Fixes bug 31837; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (tests, SunOS, backport from 0.4.2.2-alpha):
- Avoid a map_anon_nofork test failure due to a signed/unsigned
integer comparison. Fixes bug 31897; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (tls, logging, backport from 0.4.2.3-alpha):
- Log bugs about the TLS read buffer's length only once, rather than
filling the logs with similar warnings. Fixes bug 31939; bugfix
on 0.3.0.4-rc.
o Documentation (backport from 0.4.2.2-alpha):
- Explain why we can't destroy the backtrace buffer mutex. Explain
why we don't need to destroy the log mutex. Closes ticket 31736.
o Testing (continuous integration, backport from 0.4.2.3-alpha):
- Disable all but one Travis CI macOS build, to mitigate slow
scheduling of Travis macOS jobs. Closes ticket 32177.
- Run the chutney IPv6 networks as part of Travis CI. Closes
ticket 30860.
- Simplify the Travis CI build matrix, and optimise for build time.
Closes ticket 31859.
- Use Windows Server 2019 instead of Windows Server 2016 in our
Appveyor builds. Closes ticket 32086.
o Testing (continuous integration, backport from 0.4.2.4-rc):
- In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.
- Use Ubuntu Bionic images for our Travis CI builds, so we can get a
recent version of coccinelle. But leave chutney on Ubuntu Trusty,
until we can fix some Bionic permissions issues (see ticket
32240). Related to ticket 31919.
- Install the mingw OpenSSL package in Appveyor. This makes sure
that the OpenSSL headers and libraries match in Tor's Appveyor
builds. (This bug was triggered by an Appveyor image update.)
Fixes bug 32449; bugfix on 0.3.5.6-rc.
o Testing (continuous integration, backport from 0.4.2.5):
- Require C99 standards-conforming code in Travis CI, but allow GNU gcc
extensions. Also activates clang's -Wtypedef-redefinition warnings.
Build some jobs with -std=gnu99, and some jobs without.
Closes ticket 32500.
Changes in version 0.4.0.6 - 2019-12-09
This is the second stable release in the 0.4.0.x series. This release
backports several bugfixes to improve stability and correctness. Anyone
experiencing build problems or crashes with 0.4.0.5, including all relays
relying on AccountingMax, should upgrade.
Note that, per our support policy, support for the 0.4.0.x series will end
on 2 Feb 2020. Anyone still running 0.4.0.x should plan to upgrade to the
latest stable release, or downgrade to 0.3.5.x, which will get long-term
support until 1 Feb 2022.
o Directory authority changes (backport from 0.4.1.5):
- The directory authority "dizum" has a new IP address. Closes
ticket 31406.
o Major bugfixes (bridges, backport from 0.4.1.2-alpha):
- Consider our directory information to have changed when our list
of bridges changes. Previously, Tor would not re-compute the
status of its directory information when bridges changed, and
therefore would not realize that it was no longer able to build
circuits. Fixes part of bug 29875.
- Do not count previously configured working bridges towards our
total of working bridges. Previously, when Tor's list of bridges
changed, it would think that the old bridges were still usable,
and delay fetching router descriptors for the new ones. Fixes part
of bug 29875; bugfix on 0.3.0.1-alpha.
o Major bugfixes (circuit build, guard, backport from 0.4.1.4-rc):
- When considering upgrading circuits from "waiting for guard" to
"open", always ignore circuits that are marked for close. Otherwise,
we can end up in the situation where a subsystem is notified that
a closing circuit has just opened, leading to undesirable
behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha.
o Major bugfixes (Onion service reachability, backport from 0.4.1.3-alpha):
- Properly clean up the introduction point map when circuits change
purpose from onion service circuits to pathbias, measurement, or
other circuit types. This should fix some service-side instances
of introduction point failure. Fixes bug 29034; bugfix
on 0.3.2.1-alpha.
o Major bugfixes (onion service v3, backport from 0.4.1.1-alpha):
- Fix an unreachable bug in which an introduction point could try to
send an INTRODUCE_ACK with a status code that Trunnel would refuse
to encode, leading the relay to assert(). We've consolidated the
ABI values into Trunnel now. Fixes bug 30454; bugfix
on 0.3.0.1-alpha.
- Clients can now handle unknown status codes from INTRODUCE_ACK
cells. (The NACK behavior will stay the same.) This will allow us
to extend status codes in the future without breaking the normal
client behavior. Fixes another part of bug 30454; bugfix
on 0.3.0.1-alpha.
o Major bugfixes (relay, backport from 0.4.2.3-alpha):
- Relays now respect their AccountingMax bandwidth again. When
relays entered "soft" hibernation (which typically starts when
we've hit 90% of our AccountingMax), we had stopped checking
whether we should enter hard hibernation. Soft hibernation refuses
new connections and new circuits, but the existing circuits can
continue, meaning that relays could have exceeded their configured
AccountingMax. Fixes bug 32108; bugfix on 0.4.0.1-alpha.
o Major bugfixes (torrc parsing, backport from 0.4.2.2-alpha):
- Stop ignoring torrc options after an %include directive, when the
included directory ends with a file that does not contain any
config options (but does contain comments or whitespace). Fixes
bug 31408; bugfix on 0.3.1.1-alpha.
o Major bugfixes (v3 onion services, backport from 0.4.2.3-alpha):
- Onion services now always use the exact number of intro points
configured with the HiddenServiceNumIntroductionPoints option (or
fewer if nodes are excluded). Before, a service could sometimes
pick more intro points than configured. Fixes bug 31548; bugfix
on 0.3.2.1-alpha.
o Minor features (compile-time modules, backport from version 0.4.1.1-alpha):
- Add a "--list-modules" command to print a list of which compile-
time modules are enabled. Closes ticket 30452.
o Minor features (continuous integration, backport from 0.4.1.1-alpha):
- Remove sudo configuration lines from .travis.yml as they are no
longer needed with current Travis build environment. Resolves
issue 30213.
o Minor features (continuous integration, backport from 0.4.1.4-rc):
- Our Travis configuration now uses Chutney to run some network
integration tests automatically. Closes ticket 29280.
o Minor features (continuous integration, backport from 0.4.2.2-alpha):
- When building on Appveyor and Travis, pass the "-k" flag to make,
so that we are informed of all compilation failures, not just the
first one or two. Closes ticket 31372.
o Minor features (fallback directory list, backport from 0.4.1.4-rc):
- Replace the 157 fallbacks originally introduced in Tor 0.3.5.6-rc
in December 2018 (of which ~122 were still functional), with a
list of 148 fallbacks (70 new, 78 existing, 79 removed) generated
in June 2019. Closes ticket 28795.
o Minor features (geoip, backport from 0.4.2.5):
- Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2
Country database. Closes ticket 32685.
o Minor features (stem tests, backport from 0.4.2.1-alpha):
- Change "make test-stem" so it only runs the stem tests that use
tor. This change makes test-stem faster and more reliable. Closes
ticket 31554.
o Minor bugfixes (Appveyor CI, backport from 0.4.2.2-alpha):
- Avoid spurious errors when Appveyor CI fails before the install step.
Fixes bug 31884; bugfix on 0.3.4.2-alpha.
o Minor bugfixes (build system, backport form 0.4.2.1-alpha):
- Do not include the deprecated <sys/sysctl.h> on Linux or Windows
systems. Fixes bug 31673; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (circuit isolation, backport from 0.4.1.3-alpha):
- Fix a logic error that prevented the SessionGroup sub-option from
being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (circuit padding, backport from 0.4.1.4-rc):
- On relays, properly check that a padding machine is absent before
logging a warning about it being absent. Fixes bug 30649; bugfix
on 0.4.0.1-alpha.
o Minor bugfixes (client, onion service v3, backport from 0.4.2.4-rc):
- Fix a BUG() assertion that occurs within a very small race window
between when a client intro circuit opens and when its descriptor
gets cleaned up from the cache. The circuit is now closed early,
which will trigger a re-fetch of the descriptor and continue the
connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (clock skew detection, backport from 0.4.1.5):
- Don't believe clock skew results from NETINFO cells that appear to
arrive before we sent the VERSIONS cells they are responding to.
Previously, we would accept them up to 3 minutes "in the past".
Fixes bug 31343; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (compilation warning, backport from 0.4.1.5):
- Fix a compilation warning on Windows about casting a function
pointer for GetTickCount64(). Fixes bug 31374; bugfix
on 0.2.9.1-alpha.
o Minor bugfixes (compilation, backport from 0.4.1.5):
- Avoid using labs() on time_t, which can cause compilation warnings
on 64-bit Windows builds. Fixes bug 31343; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (compilation, backport from 0.4.2.1-alpha):
- Suppress spurious float-conversion warnings from GCC when calling
floating-point classifier functions on FreeBSD. Fixes part of bug
31687; bugfix on 0.3.1.5-alpha.
o Minor bugfixes (compilation, unusual configurations, backport from
0.4.1.1-alpha):
- Avoid failures when building with the ALL_BUGS_ARE_FATAL option
due to missing declarations of abort(), and prevent other such
failures in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (configuration, proxies, backport from 0.4.1.2-alpha):
- Fix a bug that prevented us from supporting SOCKS5 proxies that
want authentication along with configured (but unused!)
ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha.
o Minor bugfixes (connections, backport from 0.4.2.3-rc):
- Avoid trying to read data from closed connections, which can cause
needless loops in Libevent and infinite loops in Shadow. Fixes bug
30344; bugfix on 0.1.1.1-alpha.
o Minor bugfixes (continuous integration, backport from 0.4.1.3-alpha):
- Allow the test-stem job to fail in Travis, because it sometimes
hangs. Fixes bug 30744; bugfix on 0.3.5.4-alpha.
- Skip test_rebind on macOS in Travis, because it is unreliable on
macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha.
- Skip test_rebind when the TOR_SKIP_TEST_REBIND environment
variable is set. Fixes bug 30713; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (crash on exit, backport from 0.4.1.4-rc):
- Avoid a set of possible code paths that could try to use freed
memory in routerlist_free() while Tor was exiting. Fixes bug
31003; bugfix on 0.1.2.2-alpha.
o Minor bugfixes (directory authorities, backport from 0.4.1.3-alpha):
- Stop crashing after parsing an unknown descriptor purpose
annotation. We think this bug can only be triggered by modifying a
local file. Fixes bug 30781; bugfix on 0.2.0.8-alpha.
o Minor bugfixes (directory authority, backport from 0.4.1.2-alpha):
- Move the "bandwidth-file-headers" line in directory authority
votes so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (error handling, backport from 0.4.2.1-alpha):
- On abort, try harder to flush the output buffers of log messages.
On some platforms (macOS), log messages could be discarded when
the process terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
- Report the tor version whenever an assertion fails. Previously, we
only reported the Tor version on some crashes, and some non-fatal
assertions. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (FreeBSD, PF-based proxy, IPv6, backport from 0.4.2.1-alpha):
- When extracting an IPv6 address from a PF-based proxy, verify that
we are actually configured to receive an IPv6 address, and log an
internal error if not. Fixes part of bug 31687; bugfix
on 0.2.3.4-alpha.
o Minor bugfixes (guards, backport from 0.4.2.1-alpha):
- When tor is missing descriptors for some primary entry guards,
make the log message less alarming. It's normal for descriptors to
expire, as long as tor fetches new ones soon after. Fixes bug
31657; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (logging, backport from 0.4.1.1-alpha):
- Do not log a warning when running with an OpenSSL version other
than the one Tor was compiled with, if the two versions should be
compatible. Previously, we would warn whenever the version was
different. Fixes bug 30190; bugfix on 0.2.4.2-alpha.
o Minor bugfixes (logging, backport from 0.4.2.1-alpha):
- Change log level of message "Hash of session info was not as
expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix
on 0.1.1.10-alpha.
o Minor bugfixes (logging, backport from 0.4.2.2-alpha):
- Rate-limit our the logging message about the obsolete .exit
notation. Previously, there was no limit on this warning, which
could potentially be triggered many times by a hostile website.
Fixes bug 31466; bugfix on 0.2.2.1-alpha.
o Minor bugfixes (logging, protocol violations, backport from 0.4.2.2-alpha):
- Do not log a nonfatal assertion failure when receiving a VERSIONS
cell on a connection using the obsolete v1 link protocol. Log a
protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (mainloop, periodic events, in-process API,
backport from 0.4.2.3-alpha):
- Reset the periodic events' "enabled" flag when Tor is shut down
cleanly. Previously, this flag was left on, which caused periodic
events not to be re-enabled when Tor was relaunched in-process
with tor_api.h after a shutdown. Fixes bug 32058; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (memory leak, backport from 0.4.1.1-alpha):
- Avoid a minor memory leak that could occur on relays when failing
to create a "keys" directory. Fixes bug 30148; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (memory leak, backport from 0.4.1.4-rc):
- Fix a trivial memory leak when parsing an invalid value
from a download schedule in the configuration. Fixes bug
30894; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (NetBSD, backport from 0.4.1.2-alpha):
- Fix usage of minherit() on NetBSD and other platforms that define
MAP_INHERIT_{ZERO,NONE} instead of INHERIT_{ZERO,NONE}. Fixes bug
30614; bugfix on 0.4.0.2-alpha. Patch from Taylor Campbell.
o Minor bugfixes (onion services, backport from 0.4.1.1-alpha):
- Avoid a GCC 9.1.1 warning (and possible crash depending on libc
implemenation) when failing to load an onion service client
authorization file. Fixes bug 30475; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (out-of-memory handler, backport from 0.4.1.2-alpha):
- When purging the DNS cache because of an out-of-memory condition,
try purging just the older entries at first. Previously, we would
always purge the whole thing. Fixes bug 29617; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (portability, backport from 0.4.1.2-alpha):
- Avoid crashing in our tor_vasprintf() implementation on systems
that define neither vasprintf() nor _vscprintf(). (This bug has
been here long enough that we question whether people are running
Tor on such systems, but we're applying the fix out of caution.)
Fixes bug 30561; bugfix on 0.2.8.2-alpha. Found and fixed by
Tobias Stoeckmann.
o Minor bugfixes (process management, backport from 0.4.2.3-alpha):
- Remove overly strict assertions that triggered when a pluggable
transport failed to launch. Fixes bug 31091; bugfix
on 0.4.0.1-alpha.
- Remove an assertion in the Unix process backend. This assertion
would trigger when we failed to find the executable for a child
process. Fixes bug 31810; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (relay, backport from 0.4.2.2-alpha):
- Avoid crashing when starting with a corrupt keys directory where
the old ntor key and the new ntor key are identical. Fixes bug
30916; bugfix on 0.2.4.8-alpha.
o Minor bugfixes (rust, backport from 0.4.2.1-alpha):
- Correctly exclude a redundant rust build job in Travis. Fixes bug
31463; bugfix on 0.3.5.4-alpha.
o Minor bugfixes (testing, backport from 0.4.2.3-alpha):
- When testing port rebinding, don't busy-wait for tor to log.
Instead, actually sleep for a short time before polling again.
Also improve the formatting of control commands and log messages.
Fixes bug 31837; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (tls, logging, backport from 0.4.2.3-alpha):
- Log bugs about the TLS read buffer's length only once, rather than
filling the logs with similar warnings. Fixes bug 31939; bugfix
on 0.3.0.4-rc.
o Minor bugfixes (v2 single onion services, backport from 0.4.2.1-alpha):
- Always retry v2 single onion service intro and rend circuits with
a 3-hop path. Previously, v2 single onion services used a 3-hop
path when rendezvous circuits were retried after a remote or
delayed failure, but a 1-hop path for immediate retries. Fixes bug
23818; bugfix on 0.2.9.3-alpha.
- Make v3 single onion services fall back to a 3-hop intro, when all
intro points are unreachable via a 1-hop path. Previously, v3
single onion services failed when all intro nodes were unreachable
via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha.
o Documentation (backport from 0.4.2.1-alpha):
- Use RFC 2397 data URL scheme to embed an image into tor-exit-
notice.html so that operators no longer have to host it
themselves. Closes ticket 31089.
o Testing (backport from 0.4.1.2-alpha):
- Specify torrc paths (with empty files) when launching tor in
integration tests; refrain from reading user and system torrcs.
Resolves issue 29702.
o Testing (continuous integration, backport from 0.4.1.1-alpha):
- In Travis, show stem's tor log after failure. Closes ticket 30234.
o Testing (continuous integration, backport from 0.4.1.5):
- In Travis, make stem log a controller trace to the console, and
tail stem's tor log after failure. Closes ticket 30591.
- In Travis, only run the stem tests that use a tor binary. Closes
ticket 30694.
o Testing (continuous integration, backport from 0.4.2.3-alpha):
- Disable all but one Travis CI macOS build, to mitigate slow
scheduling of Travis macOS jobs. Closes ticket 32177.
- Run the chutney IPv6 networks as part of Travis CI. Closes
ticket 30860.
- Simplify the Travis CI build matrix, and optimise for build time.
Closes ticket 31859.
- Use Windows Server 2019 instead of Windows Server 2016 in our
Appveyor builds. Closes ticket 32086.
o Testing (continuous integration, backport from 0.4.2.4-rc):
- Use Ubuntu Bionic images for our Travis CI builds, so we can get a
recent version of coccinelle. But leave chutney on Ubuntu Trusty,
until we can fix some Bionic permissions issues (see ticket
32240). Related to ticket 31919.
- Install the mingw OpenSSL package in Appveyor. This makes sure
that the OpenSSL headers and libraries match in Tor's Appveyor
builds. (This bug was triggered by an Appveyor image update.)
Fixes bug 32449; bugfix on 0.3.5.6-rc.
- In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.
o Testing (continuous integration, backport from 0.4.2.5):
- Require C99 standards-conforming code in Travis CI, but allow GNU gcc
extensions. Also activates clang's -Wtypedef-redefinition warnings.
Build some jobs with -std=gnu99, and some jobs without.
Closes ticket 32500.
Changes in version 0.3.5.9 - 2019-12-09
Tor 0.3.5.9 backports serveral fixes from later releases, including
several that affect bridge users, relay stability, onion services,
and much more.
o Directory authority changes (backport from 0.4.1.5):
- The directory authority "dizum" has a new IP address. Closes
ticket 31406.
o Major bugfixes (bridges, backport from 0.4.1.2-alpha):
- Consider our directory information to have changed when our list
of bridges changes. Previously, Tor would not re-compute the
status of its directory information when bridges changed, and
therefore would not realize that it was no longer able to build
circuits. Fixes part of bug 29875.
- Do not count previously configured working bridges towards our
total of working bridges. Previously, when Tor's list of bridges
changed, it would think that the old bridges were still usable,
and delay fetching router descriptors for the new ones. Fixes part
of bug 29875; bugfix on 0.3.0.1-alpha.
o Major bugfixes (circuit build, guard, backport from 0.4.1.4-rc):
- When considering upgrading circuits from "waiting for guard" to
"open", always ignore circuits that are marked for close. Otherwise,
we can end up in the situation where a subsystem is notified that
a closing circuit has just opened, leading to undesirable
behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha.
o Major bugfixes (NSS, relay, backport from 0.4.0.4-rc):
- When running with NSS, disable TLS 1.2 ciphersuites that use
SHA384 for their PRF. Due to an NSS bug, the TLS key exporters for
these ciphersuites don't work -- which caused relays to fail to
handshake with one another when these ciphersuites were enabled.
Fixes bug 29241; bugfix on 0.3.5.1-alpha.
o Major bugfixes (Onion service reachability, backport from 0.4.1.3-alpha):
- Properly clean up the introduction point map when circuits change
purpose from onion service circuits to pathbias, measurement, or
other circuit types. This should fix some service-side instances
of introduction point failure. Fixes bug 29034; bugfix
on 0.3.2.1-alpha.
o Major bugfixes (onion service v3, backport from 0.4.1.1-alpha):
- Fix an unreachable bug in which an introduction point could try to
send an INTRODUCE_ACK with a status code that Trunnel would refuse
to encode, leading the relay to assert(). We've consolidated the
ABI values into Trunnel now. Fixes bug 30454; bugfix
on 0.3.0.1-alpha.
- Clients can now handle unknown status codes from INTRODUCE_ACK
cells. (The NACK behavior will stay the same.) This will allow us
to extend status codes in the future without breaking the normal
client behavior. Fixes another part of bug 30454; bugfix
on 0.3.0.1-alpha.
o Major bugfixes (torrc parsing, backport from 0.4.2.2-alpha):
- Stop ignoring torrc options after an %include directive, when the
included directory ends with a file that does not contain any
config options (but does contain comments or whitespace). Fixes
bug 31408; bugfix on 0.3.1.1-alpha.
o Major bugfixes (v3 onion services, backport from 0.4.2.3-alpha):
- Onion services now always use the exact number of intro points
configured with the HiddenServiceNumIntroductionPoints option (or
fewer if nodes are excluded). Before, a service could sometimes
pick more intro points than configured. Fixes bug 31548; bugfix
on 0.3.2.1-alpha.
o Minor features (address selection, backport from 0.4.0.3-alpha):
- Treat the subnet 100.64.0.0/10 as public for some purposes;
private for others. This subnet is the RFC 6598 (Carrier Grade
NAT) IP range, and is deployed by many ISPs as an alternative to
RFC 1918 that does not break existing internal networks. Tor now
blocks SOCKS and control ports on these addresses and warns users
if client ports or ExtORPorts are listening on a RFC 6598 address.
Closes ticket 28525. Patch by Neel Chauhan.
o Minor features (bandwidth authority, backport from 0.4.0.4-rc):
- Make bandwidth authorities ignore relays that are reported in the
bandwidth file with the flag "vote=0". This change allows us to
report unmeasured relays for diagnostic reasons without including
their bandwidth in the bandwidth authorities' vote. Closes
ticket 29806.
o Minor features (compile-time modules, backport from version 0.4.1.1-alpha):
- Add a "--list-modules" command to print a list of which compile-
time modules are enabled. Closes ticket 30452.
o Minor features (continuous integration, backport from 0.4.0.4-rc):
- On Travis Rust builds, cleanup Rust registry and refrain from
caching the "target/" directory to speed up builds. Resolves
issue 29962.
o Minor features (continuous integration, backport from 0.4.0.5):
- In Travis, tell timelimit to use stem's backtrace signals, and
launch python directly from timelimit, so python receives the
signals from timelimit, rather than make. Closes ticket 30117.
o Minor features (continuous integration, backport from 0.4.1.1-alpha):
- Remove sudo configuration lines from .travis.yml as they are no
longer needed with current Travis build environment. Resolves
issue 30213.
o Minor features (continuous integration, backport from 0.4.1.4-rc):
- Our Travis configuration now uses Chutney to run some network
integration tests automatically. Closes ticket 29280.
o Minor features (continuous integration, backport from 0.4.2.2-alpha):
- When building on Appveyor and Travis, pass the "-k" flag to make,
so that we are informed of all compilation failures, not just the
first one or two. Closes ticket 31372.
o Minor features (fallback directory list, backport from 0.4.1.4-rc):
- Replace the 157 fallbacks originally introduced in Tor 0.3.5.6-rc
in December 2018 (of which ~122 were still functional), with a
list of 148 fallbacks (70 new, 78 existing, 79 removed) generated
in June 2019. Closes ticket 28795.
o Minor features (geoip, backport from 0.4.2.5):
- Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2
Country database. Closes ticket 32685.
o Minor features (NSS, diagnostic, backport from 0.4.0.4-rc):
- Try to log an error from NSS (if there is any) and a more useful
description of our situation if we are using NSS and a call to
SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241.
o Minor features (stem tests, backport from 0.4.2.1-alpha):
- Change "make test-stem" so it only runs the stem tests that use
tor. This change makes test-stem faster and more reliable. Closes
ticket 31554.
o Minor bugfixes (security, backport from 0.4.0.4-rc):
- Verify in more places that we are not about to create a buffer
with more than INT_MAX bytes, to avoid possible OOB access in the
event of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and
fixed by Tobias Stoeckmann.
- Fix a potential double free bug when reading huge bandwidth files.
The issue is not exploitable in the current Tor network because
the vulnerable code is only reached when directory authorities
read bandwidth files, but bandwidth files come from a trusted
source (usually the authorities themselves). Furthermore, the
issue is only exploitable in rare (non-POSIX) 32-bit architectures,
which are not used by any of the current authorities. Fixes bug
30040; bugfix on 0.3.5.1-alpha. Bug found and fixed by
Tobias Stoeckmann.
o Minor bugfix (continuous integration, backport from 0.4.0.4-rc):
- Reset coverage state on disk after Travis CI has finished. This
should prevent future coverage merge errors from causing the test
suite for the "process" subsystem to fail. The process subsystem
was introduced in 0.4.0.1-alpha. Fixes bug 29036; bugfix
on 0.2.9.15.
- Terminate test-stem if it takes more than 9.5 minutes to run.
(Travis terminates the job after 10 minutes of no output.)
Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha.
o Minor bugfixes (Appveyor CI, backport from 0.4.2.2-alpha):
- Avoid spurious errors when Appveyor CI fails before the install step.
Fixes bug 31884; bugfix on 0.3.4.2-alpha.
o Minor bugfixes (build system, backport form 0.4.2.1-alpha):
- Do not include the deprecated <sys/sysctl.h> on Linux or Windows
systems. Fixes bug 31673; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (C correctness, backport from 0.4.0.4-rc):
- Fix an unlikely memory leak in consensus_diff_apply(). Fixes bug
29824; bugfix on 0.3.1.1-alpha. This is Coverity warning
CID 1444119.
o Minor bugfixes (circuit isolation, backport from 0.4.1.3-alpha):
- Fix a logic error that prevented the SessionGroup sub-option from
being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (client, onion service v3, backport from 0.4.2.4-rc):
- Fix a BUG() assertion that occurs within a very small race window
between when a client intro circuit opens and when its descriptor
gets cleaned up from the cache. The circuit is now closed early,
which will trigger a re-fetch of the descriptor and continue the
connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (clock skew detection, backport from 0.4.1.5):
- Don't believe clock skew results from NETINFO cells that appear to
arrive before we sent the VERSIONS cells they are responding to.
Previously, we would accept them up to 3 minutes "in the past".
Fixes bug 31343; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (compilation warning, backport from 0.4.1.5):
- Fix a compilation warning on Windows about casting a function
pointer for GetTickCount64(). Fixes bug 31374; bugfix
on 0.2.9.1-alpha.
o Minor bugfixes (compilation, backport from 0.4.0.2-alpha):
- Silence a compiler warning in test-memwipe.c on OpenBSD. Fixes bug
29145; bugfix on 0.2.9.3-alpha. Patch from Kris Katterjohn.
o Minor bugfixes (compilation, backport from 0.4.1.5):
- Avoid using labs() on time_t, which can cause compilation warnings
on 64-bit Windows builds. Fixes bug 31343; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (compilation, backport from 0.4.2.1-alpha):
- Suppress spurious float-conversion warnings from GCC when calling
floating-point classifier functions on FreeBSD. Fixes part of bug
31687; bugfix on 0.3.1.5-alpha.
o Minor bugfixes (compilation, unusual configurations, backport from
0.4.1.1-alpha):
- Avoid failures when building with the ALL_BUGS_ARE_FATAL option
due to missing declarations of abort(), and prevent other such
failures in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (configuration, proxies, backport from 0.4.1.2-alpha):
- Fix a bug that prevented us from supporting SOCKS5 proxies that
want authentication along with configured (but unused!)
ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha.
o Minor bugfixes (connections, backport from 0.4.2.3-rc):
- Avoid trying to read data from closed connections, which can cause
needless loops in Libevent and infinite loops in Shadow. Fixes bug
30344; bugfix on 0.1.1.1-alpha.
o Minor bugfixes (continuous integration, backport from 0.4.1.3-alpha):
- Allow the test-stem job to fail in Travis, because it sometimes
hangs. Fixes bug 30744; bugfix on 0.3.5.4-alpha.
- Skip test_rebind on macOS in Travis, because it is unreliable on
macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha.
- Skip test_rebind when the TOR_SKIP_TEST_REBIND environment
variable is set. Fixes bug 30713; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (crash on exit, backport from 0.4.1.4-rc):
- Avoid a set of possible code paths that could try to use freed
memory in routerlist_free() while Tor was exiting. Fixes bug
31003; bugfix on 0.1.2.2-alpha.
o Minor bugfixes (directory authorities, backport from 0.4.1.3-alpha):
- Stop crashing after parsing an unknown descriptor purpose
annotation. We think this bug can only be triggered by modifying a
local file. Fixes bug 30781; bugfix on 0.2.0.8-alpha.
o Minor bugfixes (directory authority, backport from 0.4.1.2-alpha):
- Move the "bandwidth-file-headers" line in directory authority
votes so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (error handling, backport from 0.4.2.1-alpha):
- On abort, try harder to flush the output buffers of log messages.
On some platforms (macOS), log messages could be discarded when
the process terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
- Report the tor version whenever an assertion fails. Previously, we
only reported the Tor version on some crashes, and some non-fatal
assertions. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (FreeBSD, PF-based proxy, IPv6, backport from 0.4.2.1-alpha):
- When extracting an IPv6 address from a PF-based proxy, verify that
we are actually configured to receive an IPv6 address, and log an
internal error if not. Fixes part of bug 31687; bugfix
on 0.2.3.4-alpha.
o Minor bugfixes (guards, backport from 0.4.2.1-alpha):
- When tor is missing descriptors for some primary entry guards,
make the log message less alarming. It's normal for descriptors to
expire, as long as tor fetches new ones soon after. Fixes bug
31657; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (logging, backport from 0.4.0.2-alpha):
- Avoid logging that we are relaxing a circuit timeout when that
timeout is fixed. Fixes bug 28698; bugfix on 0.2.4.7-alpha.
o Minor bugfixes (logging, backport from 0.4.0.3-alpha):
- Correct a misleading error message when IPv4Only or IPv6Only is
used but the resolved address can not be interpreted as an address
of the specified IP version. Fixes bug 13221; bugfix on
0.2.3.9-alpha. Patch from Kris Katterjohn.
- Log the correct port number for listening sockets when "auto" is
used to let Tor pick the port number. Previously, port 0 was
logged instead of the actual port number. Fixes bug 29144; bugfix
on 0.3.5.1-alpha. Patch from Kris Katterjohn.
- Stop logging a BUG() warning when Tor is waiting for exit
descriptors. Fixes bug 28656; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (logging, backport from 0.4.1.1-alpha):
- Do not log a warning when running with an OpenSSL version other
than the one Tor was compiled with, if the two versions should be
compatible. Previously, we would warn whenever the version was
different. Fixes bug 30190; bugfix on 0.2.4.2-alpha.
o Minor bugfixes (logging, backport from 0.4.2.1-alpha):
- Change log level of message "Hash of session info was not as
expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix
on 0.1.1.10-alpha.
o Minor bugfixes (logging, backport from 0.4.2.2-alpha):
- Rate-limit our the logging message about the obsolete .exit
notation. Previously, there was no limit on this warning, which
could potentially be triggered many times by a hostile website.
Fixes bug 31466; bugfix on 0.2.2.1-alpha.
o Minor bugfixes (logging, protocol violations, backport from 0.4.2.2-alpha):
- Do not log a nonfatal assertion failure when receiving a VERSIONS
cell on a connection using the obsolete v1 link protocol. Log a
protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (mainloop, periodic events, in-process API,
backport from 0.4.2.3-alpha):
- Reset the periodic events' "enabled" flag when Tor is shut down
cleanly. Previously, this flag was left on, which caused periodic
events not to be re-enabled when Tor was relaunched in-process
with tor_api.h after a shutdown. Fixes bug 32058; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (memory leak, backport from 0.4.1.1-alpha):
- Avoid a minor memory leak that could occur on relays when failing
to create a "keys" directory. Fixes bug 30148; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (memory leak, backport from 0.4.1.4-rc):
- Fix a trivial memory leak when parsing an invalid value
from a download schedule in the configuration. Fixes bug
30894; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (memory management, backport from 0.4.0.3-alpha):
- Refactor the shared random state's memory management so that it
actually takes ownership of the shared random value pointers.
Fixes bug 29706; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (memory management, testing, backport from 0.4.0.3-alpha):
- Stop leaking parts of the shared random state in the shared-random
unit tests. Fixes bug 29599; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (onion services, backport from 0.4.1.1-alpha):
- Avoid a GCC 9.1.1 warning (and possible crash depending on libc
implemenation) when failing to load an onion service client
authorization file. Fixes bug 30475; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (out-of-memory handler, backport from 0.4.1.2-alpha):
- When purging the DNS cache because of an out-of-memory condition,
try purging just the older entries at first. Previously, we would
always purge the whole thing. Fixes bug 29617; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (portability, backport from 0.4.1.2-alpha):
- Avoid crashing in our tor_vasprintf() implementation on systems
that define neither vasprintf() nor _vscprintf(). (This bug has
been here long enough that we question whether people are running
Tor on such systems, but we're applying the fix out of caution.)
Fixes bug 30561; bugfix on 0.2.8.2-alpha. Found and fixed by
Tobias Stoeckmann.
o Minor bugfixes (relay, backport from 0.4.2.2-alpha):
- Avoid crashing when starting with a corrupt keys directory where
the old ntor key and the new ntor key are identical. Fixes bug
30916; bugfix on 0.2.4.8-alpha.
o Minor bugfixes (rust, backport from 0.4.0.5):
- Abort on panic in all build profiles, instead of potentially
unwinding into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (rust, backport from 0.4.2.1-alpha):
- Correctly exclude a redundant rust build job in Travis. Fixes bug
31463; bugfix on 0.3.5.4-alpha.
o Minor bugfixes (single onion services, backport from 0.4.0.3-alpha):
- Allow connections to single onion services to remain idle without
being disconnected. Previously, relays acting as rendezvous points
for single onion services were mistakenly closing idle rendezvous
circuits after 60 seconds, thinking that they were unused
directory-fetching circuits that had served their purpose. Fixes
bug 29665; bugfix on 0.2.1.26.
o Minor bugfixes (stats, backport from 0.4.0.3-alpha):
- When ExtraInfoStatistics is 0, stop including PaddingStatistics in
relay and bridge extra-info documents. Fixes bug 29017; bugfix
on 0.3.1.1-alpha.
o Minor bugfixes (testing, backport from 0.4.0.3-alpha):
- Downgrade some LOG_ERR messages in the address/* tests to
warnings. The LOG_ERR messages were occurring when we had no
configured network. We were failing the unit tests, because we
backported 28668 to 0.3.5.8, but did not backport 29530. Fixes bug
29530; bugfix on 0.3.5.8.
- Fix our gcov wrapper script to look for object files at the
correct locations. Fixes bug 29435; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (testing, backport from 0.4.0.4-rc):
- Backport the 0.3.4 src/test/test-network.sh to 0.2.9. We need a
recent test-network.sh to use new chutney features in CI. Fixes
bug 29703; bugfix on 0.2.9.1-alpha.
- Fix a test failure on Windows caused by an unexpected "BUG"
warning in our tests for tor_gmtime_r(-1). Fixes bug 29922; bugfix
on 0.2.9.3-alpha.
o Minor bugfixes (testing, backport from 0.4.2.3-alpha):
- When testing port rebinding, don't busy-wait for tor to log.
Instead, actually sleep for a short time before polling again.
Also improve the formatting of control commands and log messages.
Fixes bug 31837; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (TLS protocol, backport form 0.4.0.4-rc):
- When classifying a client's selection of TLS ciphers, if the
client ciphers are not yet available, do not cache the result.
Previously, we had cached the unavailability of the cipher list
and never looked again, which in turn led us to assume that the
client only supported the ancient V1 link protocol. This, in turn,
was causing Stem integration tests to stall in some cases. Fixes
bug 30021; bugfix on 0.2.4.8-alpha.
o Minor bugfixes (tls, logging, backport from 0.4.2.3-alpha):
- Log bugs about the TLS read buffer's length only once, rather than
filling the logs with similar warnings. Fixes bug 31939; bugfix
on 0.3.0.4-rc.
o Minor bugfixes (v2 single onion services, backport from 0.4.2.1-alpha):
- Always retry v2 single onion service intro and rend circuits with
a 3-hop path. Previously, v2 single onion services used a 3-hop
path when rendezvous circuits were retried after a remote or
delayed failure, but a 1-hop path for immediate retries. Fixes bug
23818; bugfix on 0.2.9.3-alpha.
- Make v3 single onion services fall back to a 3-hop intro, when all
intro points are unreachable via a 1-hop path. Previously, v3
single onion services failed when all intro nodes were unreachable
via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (Windows, CI, backport from 0.4.0.3-alpha):
- Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit
Windows Server 2012 R2 job. The remaining 2 jobs still provide
coverage of 64/32-bit, and Windows Server 2016/2012 R2. Also set
fast_finish, so failed jobs terminate the build immediately. Fixes
bug 29601; bugfix on 0.3.5.4-alpha.
o Documentation (backport from 0.4.2.1-alpha):
- Use RFC 2397 data URL scheme to embed an image into tor-exit-
notice.html so that operators no longer have to host it
themselves. Closes ticket 31089.
o Testing (backport from 0.4.1.2-alpha):
- Specify torrc paths (with empty files) when launching tor in
integration tests; refrain from reading user and system torrcs.
Resolves issue 29702.
o Testing (continuous integration, backport from 0.4.1.1-alpha):
- In Travis, show stem's tor log after failure. Closes ticket 30234.
o Testing (continuous integration, backport from 0.4.1.5):
- In Travis, make stem log a controller trace to the console, and
tail stem's tor log after failure. Closes ticket 30591.
- In Travis, only run the stem tests that use a tor binary. Closes
ticket 30694.
o Testing (continuous integration, backport from 0.4.2.3-alpha):
- Disable all but one Travis CI macOS build, to mitigate slow
scheduling of Travis macOS jobs. Closes ticket 32177.
- Run the chutney IPv6 networks as part of Travis CI. Closes
ticket 30860.
- Simplify the Travis CI build matrix, and optimise for build time.
Closes ticket 31859.
- Use Windows Server 2019 instead of Windows Server 2016 in our
Appveyor builds. Closes ticket 32086.
o Testing (continuous integration, backport from 0.4.2.4-rc):
- Use Ubuntu Bionic images for our Travis CI builds, so we can get a
recent version of coccinelle. But leave chutney on Ubuntu Trusty,
until we can fix some Bionic permissions issues (see ticket
32240). Related to ticket 31919.
- Install the mingw OpenSSL package in Appveyor. This makes sure
that the OpenSSL headers and libraries match in Tor's Appveyor
builds. (This bug was triggered by an Appveyor image update.)
Fixes bug 32449; bugfix on 0.3.5.6-rc.
- In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.
o Testing (continuous integration, backport from 0.4.2.5):
- Require C99 standards-conforming code in Travis CI, but allow GNU gcc
extensions. Also activates clang's -Wtypedef-redefinition warnings.
Build some jobs with -std=gnu99, and some jobs without.
Closes ticket 32500.
1
0
Hello, everyone!
(If you are about to reply saying "please take me off this list",
instead please follow these instructions:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/
. If you have trouble, it is probably because you subscribed using a
different address than the one you are trying to unsubscribe with. You
will have to enter the actual email address you used when you
subscribed.)
After months of work, Tor 0.4.2.5 is now available! This is the first
stable release in the 0.4.2.x series, and we hope you find it useful.
You can download the source code from the usual place on the website.
Packages should be available within the next several weeks, with a new
Tor Browser around January 7.
Changes in version 0.4.2.5 - 2019-12-09
This is the first stable release in the 0.4.2.x series. This series
improves reliability and stability, and includes several stability and
correctness improvements for onion services. It also fixes many smaller
bugs present in previous series.
Per our support policy, we will support the 0.4.2.x series for nine
months, or until three months after the release of a stable 0.4.3.x:
whichever is longer. If you need longer-term support, please stick
with 0.3.5.x, which will we plan to support until Feb 2022.
Below are the changes since 0.4.1.4-rc. For a complete list of only
the changes since 0.4.2.4-rc, see the ChangeLog file.
o Major features (directory authorities):
- Directory authorities now reject relays running all currently
deprecated release series. The currently supported release series
are: 0.2.9, 0.3.5, 0.4.0, 0.4.1, and 0.4.2. Closes ticket 31549.
o Major features (onion service v3, denial of service):
- Add onion service introduction denial of service defenses. Intro
points can now rate-limit client introduction requests, using
parameters that can be sent by the service within the
ESTABLISH_INTRO cell. If the cell extension for this is not used,
the intro point will honor the consensus parameters. Closes
ticket 30924.
o Major bugfixes (circuit build, guard):
- When considering upgrading circuits from "waiting for guard" to
"open", always ignore circuits that are marked for close.
Previously we could end up in the situation where a subsystem is
notified of a circuit opening, but the circuit is still marked for
close, leading to undesirable behavior. Fixes bug 30871; bugfix
on 0.3.0.1-alpha.
o Major bugfixes (crash, Linux, Android):
- Tolerate systems (including some Android installations) where
madvise and MADV_DONTDUMP are available at build-time, but not at
run time. Previously, these systems would notice a failed syscall
and abort. Fixes bug 31570; bugfix on 0.4.1.1-alpha.
- Tolerate systems (including some Linux installations) where
madvise and/or MADV_DONTFORK are available at build-time, but not
at run time. Previously, these systems would notice a failed
syscall and abort. Fixes bug 31696; bugfix on 0.4.1.1-alpha.
o Major bugfixes (embedded Tor):
- Avoid a possible crash when restarting Tor in embedded mode and
enabling a different set of publish/subscribe messages. Fixes bug
31898; bugfix on 0.4.1.1-alpha.
o Major bugfixes (relay):
- Relays now respect their AccountingMax bandwidth again. When
relays entered "soft" hibernation (which typically starts when
we've hit 90% of our AccountingMax), we had stopped checking
whether we should enter hard hibernation. Soft hibernation refuses
new connections and new circuits, but the existing circuits can
continue, meaning that relays could have exceeded their configured
AccountingMax. Fixes bug 32108; bugfix on 0.4.0.1-alpha.
o Major bugfixes (torrc parsing):
- Stop ignoring torrc options after an %include directive, when the
included directory ends with a file that does not contain any
config options (but does contain comments or whitespace). Fixes
bug 31408; bugfix on 0.3.1.1-alpha.
o Major bugfixes (v3 onion services):
- Onion services now always use the exact number of intro points
configured with the HiddenServiceNumIntroductionPoints option (or
fewer if nodes are excluded). Before, a service could sometimes
pick more intro points than configured. Fixes bug 31548; bugfix
on 0.3.2.1-alpha.
o Minor feature (onion services, control port):
- The ADD_ONION command's keyword "BEST" now defaults to ED25519-V3
(v3) onion services. Previously it defaulted to RSA1024 (v2).
Closes ticket 29669.
o Minor features (auto-formatting scripts):
- When annotating C macros, never generate a line that our check-
spaces script would reject. Closes ticket 31759.
- When annotating C macros, try to remove cases of double-negation.
Closes ticket 31779.
o Minor features (best practices tracker):
- Our best-practices tracker now integrates with our include-checker
tool to keep track of how many layering violations we have not yet
fixed. We hope to reduce this number over time to improve Tor's
modularity. Closes ticket 31176.
- Add a TOR_PRACTRACKER_OPTIONS variable for passing arguments to
practracker from the environment. We may want this for continuous
integration. Closes ticket 31309.
- Give a warning rather than an error when a practracker exception
is violated by a small amount, add a --list-overbroad option to
practracker that lists exceptions that are stricter than they need
to be, and provide an environment variable for disabling
practracker. Closes ticket 30752.
- Our best-practices tracker now looks at headers as well as C
files. Closes ticket 31175.
o Minor features (build system):
- Make pkg-config use --prefix when cross-compiling, if
PKG_CONFIG_PATH is not set. Closes ticket 32191.
- Add --disable-manpage and --disable-html-manual options to
configure script. This will enable shortening build times by not
building documentation. Resolves issue 19381.
o Minor features (compilation):
- Log a more useful error message when we are compiling and one of
the compile-time hardening options we have selected can be linked
but not executed. Closes ticket 27530.
o Minor features (configuration):
- The configuration code has been extended to allow splitting
configuration data across multiple objects. Previously, all
configuration data needed to be kept in a single object, which
tended to become bloated. Closes ticket 31240.
o Minor features (continuous integration):
- When building on Appveyor and Travis, pass the "-k" flag to make,
so that we are informed of all compilation failures, not just the
first one or two. Closes ticket 31372.
- When running CI builds on Travis, put some random data in
~/.torrc, to make sure no tests are reading the Tor configuration
file from its default location. Resolves issue 30102.
o Minor features (debugging):
- Log a nonfatal assertion failure if we encounter a configuration
line whose command is "CLEAR" but which has a nonempty value. This
should be impossible, according to the rules of our configuration
line parsing. Closes ticket 31529.
o Minor features (geoip):
- Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2
Country database. Closes ticket 32685.
o Minor features (git hooks):
- Our pre-commit git hook now checks for a special file before
running practracker, so that practracker only runs on branches
that are based on master. Since the pre-push hook calls the pre-
commit hook, practracker will also only run before pushes of
branches based on master. Closes ticket 30979.
o Minor features (git scripts):
- Add a "--" command-line argument, to separate git-push-all.sh
script arguments from arguments that are passed through to git
push. Closes ticket 31314.
- Add a -r <remote-name> argument to git-push-all.sh, so the script
can push test branches to a personal remote. Closes ticket 31314.
- Add a -t <test-branch-prefix> argument to git-merge-forward.sh and
git-push-all.sh, which makes these scripts create, merge forward,
and push test branches. Closes ticket 31314.
- Add a -u argument to git-merge-forward.sh, so that the script can
re-use existing test branches after a merge failure and fix.
Closes ticket 31314.
- Add a TOR_GIT_PUSH env var, which sets the default git push
command and arguments for git-push-all.sh. Closes ticket 31314.
- Add a TOR_PUSH_DELAY variable to git-push-all.sh, which makes the
script push master and maint branches with a delay between each
branch. These delays trigger the CI jobs in a set order, which
should show the most likely failures first. Also make pushes
atomic by default, and make the script pass any command-line
arguments to git push. Closes ticket 29879.
- Call the shellcheck script from the pre-commit hook. Closes
ticket 30967.
- Skip pushing test branches that are the same as a remote
maint/release/master branch in git-push-all.sh by default. Add a
-s argument, so git-push-all.sh can push all test branches. Closes
ticket 31314.
o Minor features (IPv6, logging):
- Log IPv6 addresses as well as IPv4 addresses when describing
routerinfos, routerstatuses, and nodes. Closes ticket 21003.
o Minor features (maintenance scripts):
- Add a Coccinelle script to detect bugs caused by incrementing or
decrementing a variable inside a call to log_debug(). Since
log_debug() is a macro whose arguments are conditionally
evaluated, it is usually an error to do this. One such bug was
30628, in which SENDME cells were miscounted by a decrement
operator inside a log_debug() call. Closes ticket 30743.
o Minor features (onion service v3):
- Do not allow single hop clients to fetch or post an HS descriptor
from an HSDir. Closes ticket 24964.
o Minor features (onion service):
- Disallow single-hop clients at the introduction point. We've
removed Tor2web support a while back and single-hop rendezvous
attempts are blocked at the relays. This change should remove load
off the network from spammy clients. Close ticket 24963.
o Minor features (onion services v3):
- Assist users who try to setup v2 client authorization in v3 onion
services by pointing them to the right documentation. Closes
ticket 28966.
o Minor features (stem tests):
- Change "make test-stem" so it only runs the stem tests that use
tor. This change makes test-stem faster and more reliable. Closes
ticket 31554.
o Minor features (testing):
- When running tests that attempt to look up hostnames, replace the
libc name lookup functions with ones that do not actually touch
the network. This way, the tests complete more quickly in the
presence of a slow or missing DNS resolver. Closes ticket 31841.
- Add a script to invoke "tor --dump-config" and "tor
--verify-config" with various configuration options, and see
whether tor's resulting configuration or error messages are what
we expect. Use it for integration testing of our +Option and
/Option flags. Closes ticket 31637.
- Improve test coverage for our existing configuration parsing and
management API. Closes ticket 30893.
- Add integration tests to make sure that practracker gives the
outputs we expect. Closes ticket 31477.
- The practracker self-tests are now run as part of the Tor test
suite. Closes ticket 31304.
o Minor features (testing, continuous integration):
- Disable all but one Travis CI macOS build, to mitigate slow
scheduling of Travis macOS jobs. Closes ticket 32177.
- Run the chutney IPv6 networks as part of Travis CI. Closes
ticket 30860.
- Simplify the Travis CI build matrix, and optimise for build time.
Closes ticket 31859.
- Use Windows Server 2019 instead of Windows Server 2016 in our
Appveyor builds. Closes ticket 32086.
o Minor features (token bucket):
- Implement a generic token bucket that uses a single counter, for
use in anti-DoS onion service work. Closes ticket 30687.
o Minor bugfixes (Appveyor continuous integration):
- Avoid spurious errors when Appveyor CI fails before the install
step. Fixes bug 31884; bugfix on 0.3.4.2-alpha.
o Minor bugfixes (best practices tracker):
- Fix a few issues in the best-practices script, including tests,
tab tolerance, error reporting, and directory-exclusion logic.
Fixes bug 29746; bugfix on 0.4.1.1-alpha.
- When running check-best-practices, only consider files in the src
subdirectory. Previously we had recursively considered all
subdirectories, which made us get confused by the temporary
directories made by "make distcheck". Fixes bug 31578; bugfix
on 0.4.1.1-alpha.
o Minor bugfixes (build system):
- Interpret "--disable-module-dirauth=no" correctly. Fixes bug
32124; bugfix on 0.3.4.1-alpha.
- Interpret "--with-tcmalloc=no" correctly. Fixes bug 32124; bugfix
on 0.2.0.20-rc.
- Stop failing when jemalloc is requested, but tcmalloc is not
found. Fixes bug 32124; bugfix on 0.3.5.1-alpha.
- When pkg-config is not installed, or a library that depends on
pkg-config is not found, tell the user what to do to fix the
problem. Fixes bug 31922; bugfix on 0.3.1.1-alpha.
- Do not include the deprecated <sys/sysctl.h> on Linux or Windows
systems. Fixes bug 31673; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (chutney, makefiles, documentation):
- "make test-network-all" now shows the warnings from each test-
network.sh run on the console, so developers see new warnings
early. We've also improved the documentation for this feature, and
renamed a Makefile variable so the code is self-documenting. Fixes
bug 30455; bugfix on 0.3.0.4-rc.
o Minor bugfixes (client, onion service v3):
- Fix a BUG() assertion that occurs within a very small race window
between when a client intro circuit opens and when its descriptor
gets cleaned up from the cache. The circuit is now closed early,
which will trigger a re-fetch of the descriptor and continue the
connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (code quality):
- Fix "make check-includes" so it runs correctly on out-of-tree
builds. Fixes bug 31335; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (compilation):
- Add more stub functions to fix compilation on Android with link-
time optimization when --disable-module-dirauth is used.
Previously, these compilation settings would make the compiler
look for functions that didn't exist. Fixes bug 31552; bugfix
on 0.4.1.1-alpha.
- Suppress spurious float-conversion warnings from GCC when calling
floating-point classifier functions on FreeBSD. Fixes part of bug
31687; bugfix on 0.3.1.5-alpha.
o Minor bugfixes (configuration):
- Invalid floating-point values in the configuration file are now
treated as errors in the configuration. Previously, they were
ignored and treated as zero. Fixes bug 31475; bugfix on 0.0.1.
o Minor bugfixes (connections):
- Avoid trying to read data from closed connections, which can cause
needless loops in Libevent and infinite loops in Shadow. Fixes bug
30344; bugfix on 0.1.1.1-alpha.
o Minor bugfixes (controller protocol):
- Fix the MAPADDRESS controller command to accept one or more
arguments. Previously, it required two or more arguments, and
ignored the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (coverity):
- Add an assertion when parsing a BEGIN cell so that coverity can be
sure that we are not about to dereference a NULL address. Fixes
bug 31026; bugfix on 0.2.4.7-alpha. This is CID 1447296.
- In our siphash implementation, when building for coverity, use
memcpy in place of a switch statement, so that coverity can tell
we are not accessing out-of-bounds memory. Fixes bug 31025; bugfix
on 0.2.8.1-alpha. This is tracked as CID 1447293 and 1447295.
- Fix several coverity warnings from our unit tests. Fixes bug
31030; bugfix on 0.2.4.1-alpha, 0.3.2.1-alpha, and 0.4.0.1-alpha.
o Minor bugfixes (crash):
- When running Tor with an option like --verify-config or
--dump-config that does not start the event loop, avoid crashing
if we try to exit early because of an error. Fixes bug 32407;
bugfix on 0.3.3.1-alpha.
o Minor bugfixes (developer tooling):
- Only log git script changes in the post-merge script when the
merge was to the master branch. Fixes bug 31040; bugfix
on 0.4.1.1-alpha.
o Minor bugfixes (directory authorities):
- Return a distinct status when formatting annotations fails. Fixes
bug 30780; bugfix on 0.2.0.8-alpha.
o Minor bugfixes (error handling):
- Always lock the backtrace buffer before it is used. Fixes bug
31734; bugfix on 0.2.5.3-alpha.
- On abort, try harder to flush the output buffers of log messages.
On some platforms (macOS), log messages could be discarded when
the process terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
- Report the tor version whenever an assertion fails. Previously, we
only reported the Tor version on some crashes, and some non-fatal
assertions. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
- When tor aborts due to an error, close log file descriptors before
aborting. Closing the logs makes some OSes flush log file buffers,
rather than deleting buffered log lines. Fixes bug 31594; bugfix
on 0.2.5.2-alpha.
o Minor bugfixes (FreeBSD, PF-based proxy, IPv6):
- When extracting an IPv6 address from a PF-based proxy, verify that
we are actually configured to receive an IPv6 address, and log an
internal error if not. Fixes part of bug 31687; bugfix
on 0.2.3.4-alpha.
o Minor bugfixes (git hooks):
- Remove a duplicate call to practracker from the pre-push hook. The
pre-push hook already calls the pre-commit hook, which calls
practracker. Fixes bug 31462; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (git scripts):
- Stop hard-coding the bash path in the git scripts. Some OSes don't
have bash in /usr/bin, others have an ancient bash at this path.
Fixes bug 30840; bugfix on 0.4.0.1-alpha.
- Stop hard-coding the tor master branch name and worktree path in
the git scripts. Fixes bug 30841; bugfix on 0.4.0.1-alpha.
- Allow git-push-all.sh to be run from any directory. Previously,
the script only worked if run from an upstream worktree directory.
Closes ticket 31678.
o Minor bugfixes (guards):
- When tor is missing descriptors for some primary entry guards,
make the log message less alarming. It's normal for descriptors to
expire, as long as tor fetches new ones soon after. Fixes bug
31657; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (ipv6):
- Check for private IPv6 addresses alongside their IPv4 equivalents
when authorities check descriptors. Previously, we only checked
for private IPv4 addresses. Fixes bug 31088; bugfix on
0.2.3.21-rc. Patch by Neel Chauhan.
- When parsing microdescriptors, we should check the IPv6 exit
policy alongside IPv4. Previously, we checked both exit policies
for only router info structures, while microdescriptors were
IPv4-only. Fixes bug 27284; bugfix on 0.2.3.1-alpha. Patch by
Neel Chauhan.
o Minor bugfixes (logging):
- Add a missing check for HAVE_PTHREAD_H, because the backtrace code
uses mutexes. Fixes bug 31614; bugfix on 0.2.5.2-alpha.
- Disable backtrace signal handlers when shutting down tor. Fixes
bug 31614; bugfix on 0.2.5.2-alpha.
- Rate-limit our the logging message about the obsolete .exit
notation. Previously, there was no limit on this warning, which
could potentially be triggered many times by a hostile website.
Fixes bug 31466; bugfix on 0.2.2.1-alpha.
- When initialising log domain masks, only set known log domains.
Fixes bug 31854; bugfix on 0.2.1.1-alpha.
- Change log level of message "Hash of session info was not as
expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix
on 0.1.1.10-alpha.
- Fix a code issue that would have broken our parsing of log domains
as soon as we had 33 of them. Fortunately, we still only have 29.
Fixes bug 31451; bugfix on 0.4.1.4-rc.
o Minor bugfixes (logging, protocol violations):
- Do not log a nonfatal assertion failure when receiving a VERSIONS
cell on a connection using the obsolete v1 link protocol. Log a
protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (mainloop, periodic events, in-process API):
- Reset the periodic events' "enabled" flag when Tor is shut down
cleanly. Previously, this flag was left on, which caused periodic
events not to be re-enabled when Tor was relaunched in-process
with tor_api.h after a shutdown. Fixes bug 32058; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (memory management):
- Stop leaking a small amount of memory in nt_service_install(), in
unreachable code. Fixes bug 30799; bugfix on 0.2.0.7-alpha. Patch
by Xiaoyin Liu.
o Minor bugfixes (modules):
- Explain what the optional Directory Authority module is, and what
happens when it is disabled. Fixes bug 31825; bugfix
on 0.3.4.1-alpha.
o Minor bugfixes (multithreading):
- Avoid some undefined behaviour when freeing mutexes. Fixes bug
31736; bugfix on 0.0.7.
o Minor bugfixes (networking, IP addresses):
- When parsing addresses via Tor's internal DNS lookup API, reject
IPv4 addresses in square brackets, and accept IPv6 addresses in
square brackets. This change completes the work started in 23082,
making address parsing consistent between tor's internal DNS
lookup and address parsing APIs. Fixes bug 30721; bugfix
on 0.2.1.5-alpha.
- When parsing addresses via Tor's internal address:port parsing and
DNS lookup APIs, require IPv6 addresses with ports to have square
brackets. But allow IPv6 addresses without ports, whether or not
they have square brackets. Fixes bug 30721; bugfix
on 0.2.1.5-alpha.
o Minor bugfixes (onion service v3):
- When purging the client descriptor cache, close any introduction
point circuits associated with purged cache entries. This avoids
picking those circuits later when connecting to the same
introduction points. Fixes bug 30921; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion services):
- In the hs_ident_circuit_t data structure, remove the unused field
circuit_type and the respective argument in hs_ident_circuit_new().
This field was set by clients (for introduction) and services (for
introduction and rendezvous) but was never used afterwards. Fixes
bug 31490; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan.
o Minor bugfixes (operator tools):
- Make tor-print-ed-signing-cert(1) print certificate expiration
date in RFC 1123 and UNIX timestamp formats, to make output
machine readable. Fixes bug 31012; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (process management):
- Remove overly strict assertions that triggered when a pluggable
transport failed to launch. Fixes bug 31091; bugfix
on 0.4.0.1-alpha.
- Remove an assertion in the Unix process backend. This assertion
would trigger when we failed to find the executable for a child
process. Fixes bug 31810; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (relay):
- Avoid crashing when starting with a corrupt keys directory where
the old ntor key and the new ntor key are identical. Fixes bug
30916; bugfix on 0.2.4.8-alpha.
o Minor bugfixes (rust):
- Correctly exclude a redundant rust build job in Travis. Fixes bug
31463; bugfix on 0.3.5.4-alpha.
- Raise the minimum rustc version to 1.31.0, as checked by configure
and CI. Fixes bug 31442; bugfix on 0.3.5.4-alpha.
o Minor bugfixes (sendme, code structure):
- Rename the trunnel SENDME file definition from sendme.trunnel to
sendme_cell.trunnel to avoid having twice sendme.{c|h} in the
repository. Fixes bug 30769; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (statistics):
- Stop removing the ed25519 signature if the extra info file is too
big. If the signature data was removed, but the keyword was kept,
this could result in an unparseable extra info file. Fixes bug
30958; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (subsystems):
- Make the subsystem init order match the subsystem module
dependencies. Call windows process security APIs as early as
possible. Initialize logging before network and time, so that
network and time can use logging. Fixes bug 31615; bugfix
on 0.4.0.1-alpha.
o Minor bugfixes (testing):
- Avoid intermittent test failures due to a test that had relied on
inconsistent timing sources. Fixes bug 31995; bugfix
on 0.3.1.3-alpha.
- When testing port rebinding, don't busy-wait for tor to log.
Instead, actually sleep for a short time before polling again.
Also improve the formatting of control commands and log messages.
Fixes bug 31837; bugfix on 0.3.5.1-alpha.
- Teach the util/socketpair_ersatz test to work correctly when we
have no network stack configured. Fixes bug 30804; bugfix
on 0.2.5.1-alpha.
o Minor bugfixes (tests, SunOS):
- Avoid a map_anon_nofork test failure due to a signed/unsigned
integer comparison. Fixes bug 31897; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (tls, logging):
- Log bugs about the TLS read buffer's length only once, rather than
filling the logs with similar warnings. Fixes bug 31939; bugfix
on 0.3.0.4-rc.
o Minor bugfixes (v2 single onion services):
- Always retry v2 single onion service intro and rend circuits with
a 3-hop path. Previously, v2 single onion services used a 3-hop
path when rendezvous circuits were retried after a remote or
delayed failure, but a 1-hop path for immediate retries. Fixes bug
23818; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (v3 onion services):
- When cleaning up intro circuits for a v3 onion service, don't
remove circuits that have an established or pending circuit, even
if they ran out of retries. This way, we don't remove a circuit on
its last retry. Fixes bug 31652; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (v3 single onion services):
- Always retry v3 single onion service intro and rend circuits with
a 3-hop path. Previously, v3 single onion services used a 3-hop
path when rend circuits were retried after a remote or delayed
failure, but a 1-hop path for immediate retries. Fixes bug 23818;
bugfix on 0.3.2.1-alpha.
- Make v3 single onion services fall back to a 3-hop intro, when all
intro points are unreachable via a 1-hop path. Previously, v3
single onion services failed when all intro nodes were unreachable
via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha.
o Code simplification and refactoring:
- Refactor connection_control_process_inbuf() to reduce the size of
a practracker exception. Closes ticket 31840.
- Refactor the microdescs_parse_from_string() function into smaller
pieces, for better comprehensibility. Closes ticket 31675.
- Use SEVERITY_MASK_IDX() to find the LOG_* mask indexes in the unit
tests and fuzzers, rather than using hard-coded values. Closes
ticket 31334.
- Interface for function `decrypt_desc_layer` cleaned up. Closes
ticket 31589.
o Documentation:
- Correct the description of "GuardLifetime". Fixes bug 31189;
bugfix on 0.3.0.1-alpha.
- Make clear in the man page, in both the bandwidth section and the
AccountingMax section, that Tor counts in powers of two, not
powers of ten: 1 GByte is 1024*1024*1024 bytes, not one billion
bytes. Resolves ticket 32106.
- Document the signal-safe logging behaviour in the tor man page.
Also add some comments to the relevant functions. Closes
ticket 31839.
- Explain why we can't destroy the backtrace buffer mutex. Explain
why we don't need to destroy the log mutex. Closes ticket 31736.
- The Tor source code repository now includes a (somewhat dated)
description of Tor's modular architecture, in doc/HACKING/design.
This is based on the old "tor-guts.git" repository, which we are
adopting and superseding. Closes ticket 31849.
- Improve documentation in circuit padding subsystem. Patch by
Tobias Pulls. Closes ticket 31113.
- Include an example usage for IPv6 ORPort in our sample torrc.
Closes ticket 31320; patch from Ali Raheem.
- Use RFC 2397 data URL scheme to embed an image into tor-exit-
notice.html so that operators no longer have to host it
themselves. Closes ticket 31089.
o Removed features:
- No longer include recommended package digests in votes as detailed
in proposal 301. The RecommendedPackages torrc option is
deprecated and will no longer have any effect. "package" lines
will still be considered when computing consensuses for consensus
methods that include them. (This change has no effect on the list
of recommended Tor versions, which is still in use.) Closes
ticket 29738.
- Remove torctl.in from contrib/dist directory. Resolves
ticket 30550.
o Testing:
- Require C99 standards-conforming code in Travis CI, but allow GNU
gcc extensions. Also activates clang's -Wtypedef-redefinition
warnings. Build some jobs with -std=gnu99, and some jobs without.
Closes ticket 32500.
- Run shellcheck for all non-third-party shell scripts that are
shipped with Tor. Closes ticket 29533.
- When checking shell scripts, ignore any user-created directories.
Closes ticket 30967.
o Code simplification and refactoring (config handling):
- Extract our variable manipulation code from confparse.c to a new
lower-level typedvar.h module. Closes ticket 30864.
- Lower another layer of object management from confparse.c to a
more general tool. Now typed structure members are accessible via
an abstract type. Implements ticket 30914.
- Move our backend logic for working with configuration and state
files into a lower-level library, since it no longer depends on
any tor-specific functionality. Closes ticket 31626.
- Numerous simplifications in configuration-handling logic: remove
duplicated macro definitions, replace magical names with flags,
and refactor "TestingTorNetwork" to use the same default-option
logic as the rest of Tor. Closes ticket 30935.
- Replace our ad-hoc set of flags for configuration variables and
configuration variable types with fine-grained orthogonal flags
corresponding to the actual behavior we want. Closes ticket 31625.
o Code simplification and refactoring (misc):
- Eliminate some uses of lower-level control reply abstractions,
primarily in the onion_helper functions. Closes ticket 30889.
- Rework bootstrap tracking to use the new publish-subscribe
subsystem. Closes ticket 29976.
- Rewrite format_node_description() and router_get_verbose_nickname()
to use strlcpy() and strlcat(). The previous implementation used
memcpy() and pointer arithmetic, which was error-prone. Closes
ticket 31545. This is CID 1452819.
- Split extrainfo_dump_to_string() into smaller functions. Closes
ticket 30956.
- Use the ptrdiff_t type consistently for expressing variable
offsets and pointer differences. Previously we incorrectly (but
harmlessly) used int and sometimes off_t for these cases. Closes
ticket 31532.
- Use the subsystems mechanism to manage the main event loop code.
Closes ticket 30806.
- Various simplifications and minor improvements to the circuit
padding machines. Patch by Tobias Pulls. Closes tickets 31112
and 31098.
o Documentation (hard-coded directories):
- Improve the documentation for the DirAuthority and FallbackDir
torrc options. Closes ticket 30955.
o Documentation (tor.1 man page):
- Fix typo in tor.1 man page: the option is "--help", not "-help".
Fixes bug 31008; bugfix on 0.2.2.9-alpha.
o Testing (continuous integration):
- Use Ubuntu Bionic images for our Travis CI builds, so we can get a
recent version of coccinelle. But leave chutney on Ubuntu Trusty,
until we can fix some Bionic permissions issues (see ticket
32240). Related to ticket 31919.
- Install the mingw OpenSSL package in Appveyor. This makes sure
that the OpenSSL headers and libraries match in Tor's Appveyor
builds. (This bug was triggered by an Appveyor image update.)
Fixes bug 32449; bugfix on 0.3.5.6-rc.
- In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.
1
0
Tor Browser 9.0.2 is now available from the Tor Browser download page [1]
and also from our distribution directory [2].
1: https://www.torproject.org/download/
2: https://www.torproject.org/dist/torbrowser/9.0.2/
This release features important security updates [3] to Firefox.
3: https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/
This new stable release is picking up security fixes for Firefox 68.3.0esr
and updating our external extensions (NoScript and HTTPS Everywhere) to
their latest versions.
Apart from backports for patches that already landed in alpha releases
and fixing an error in our circuit display and improving our letterboxing
support, Tor Browser 9.0.2 provides properly localized Android bundles
again as well.
_Reproducible Builds_
The issue with reproducible builds mentioned in the 9.0.1 blog post [4]
is still present in this release. We however made progress on understanding
the issue [5] and are getting closer to a fix.
4: https://blog.torproject.org/new-release-tor-browser-901
5: https://trac.torproject.org/projects/tor/ticket/32053
_ChangeLog_
The full changelog since Tor Browser 9.0.1 is:
* All Platforms
* Update Firefox to 68.3.0esr
* Bump NoScript to 11.0.9
* Bug 32362: NoScript TRUSTED setting doesn't work
* Bug 32429: Issues with about:blank and NoScript on .onion sites
* Bump HTTPS Everywhere to 2019.11.7
* Bug 27268: Preferences clean-up in Torbutton code
* Translations update
* Windows + OS X + Linux
* Bug 32125: Fix circuit display for bridge without a fingerprint
* Bug 32250: Backport enhanced letterboxing support (bug 1546832 and 1556017)
* Windows
* Bug 31989: Backport backout of old mingw-gcc patch
* Bug 32616: Disable GetSecureOutputDirectoryPath() functionality
* Android
* Bug 32365: Localization is broken in Tor Browser 9 on Android
* Build System
* All Platforms
* Bug 32413: Bump Go version to 1.12.13
1
0
Tor Browser 9.0.1 is now available from the Tor Browser download page [1]
and also from our distribution directory [2].
1: https://www.torproject.org/download/
2: https://www.torproject.org/dist/torbrowser/9.0.1/
Tor Browser 9.0.1 is the first bugfix release in the 9.0 series and aims
to mostly fix regressions and provide small improvements related to our
9.0 release. Additionally, we are adding a banner on the starting page
for our fundraising campaign Take Back the Internet with Tor [3].
3: https://blog.torproject.org/take-back-internet-us
_Known Issue_
For each new release, two members from our team are building the release
separately and compare the result to make sure that it is reproducible [4].
For the 9.0 and 9.0.1 releases, however, an issue [5] that we are still
investigating is making our build not completely deterministic. As a
workaround for this issue, we had to do multiple builds until we got
matching builds. You might need to do the same if you are trying to
reproduce our build [6].
4: https://reproducible-builds.org/
5: https://trac.torproject.org/projects/tor/ticket/32053
6: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#Buildi…
_ChangeLog_
The full changelog since Tor Browser 9.0 is:
* All Platforms
* Update NoScript to 11.0.4
* Bug 21004: Don't block JavaScript on onion services on medium security
* Bug 27307: NoScript marks HTTP onions as not secure
* Bug 30783: Fundraising banner for EOY 2019 campain
* Bug 32321: Don't ping Mozilla for Man-in-the-Middle-detection
* Bug 27268: Preferences clean-up
* Windows + OS X + Linux
* Update Tor Launcher to 0.2.20.2
* Bug 32164: Trim each received log line from tor
* Translations update
* Bug 31803: Replaced about:debugging logo with flat version
* Bug 31764: Fix for error when navigating via 'Paste and go'
* Bug 32169: Fix TB9 Wikipedia address bar search
* Bug 32210: Hide the tor pane when using a system tor
* Bug 31658: Use builtin --panel-disabled-color for security level text
* Bug 32188: Fix localization on about:preferences#tor
* Bug 32184: Red dot is shown while downloading an update
* Android
* Bug 32342: Crash when changing the browser locale
1
0
Tor Browser 9.0 is now available from the Tor Browser download page [1]
and also from our distribution directory [2].
1: https://www.torproject.org/download/
2: https://www.torproject.org/dist/torbrowser/9.0/
This release features important security updates [3] to Firefox.
3: https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/
Tor Browser 9.0 is the first stable release based on Firefox 68 ESR and
contains a number of updates to other components as well (including Tor
to 0.4.1.6 [4] and OpenSSL to 1.1.1d for desktop versions and Tor to 0.4.1.5 [5]
for Android).
4: https://blog.torproject.org/new-release-tor-0416
5: https://blog.torproject.org/new-release-tor-0415
In addition to all the needed patch rebasing and toolchain updates, we
made big improvements to make Tor Browser work better for you.
We want everyone in the world to be able to enjoy the privacy and freedom
online Tor provides, and that's why over the past couple years, we've
been working hard to boost our UX and localization efforts, with the
biggest gains first visible in Tor Browser 8.0 [6].
6: https://blog.torproject.org/new-release-tor-browser-80
In Tor Browser 9.0, we continue to build upon those efforts with sleeker
integration and additional localization support.
_Goodbye, Onion Button_
We want your experience using Tor to be fully integrated within the
browser so how you use Tor is more intuitive. That's why now, rather
than using the onion button that was in the toolbar, you can see your
path through the Tor network and request a New Circuit through the Tor
network in [i] on the URL bar.
Circuit display: https://blog.torproject.org/sites/default/files/inline-images/tor-circuit-d…
_Hello, New Identity Button_
Instead of going into the onion button to request a New Identity, we've
made this important feature easier to access by giving it its own button
in the toolbar.
You can also request a New Identity, and a New Circuit, from within the
[=] menu on the toolbar.
New Identity Button: https://blog.torproject.org/sites/default/files/inline-images/toolbar%20upd…
New Identity Menu: https://blog.torproject.org/sites/default/files/inline-images/tor-new-ident…
_Torbutton and Tor Launcher Integration_
Now that both extensions are tightly integrated into Tor Browser, they'll
no longer be found on the about:addons page.
about:preferences: https://blog.torproject.org/sites/default/files/inline-images/about-prefere…
We redesigned the bridge and proxy configuration dialogs and include
them directly into the browser's preference settings as well.
Rather than being a submenu behind the onion button, Tor Network Settings,
including the ability to fetch bridges to bypass censorship where Tor
is blocked, are easier to access on about:preferences#tor.
_Letterboxing_
Tor Browser in its default mode is starting with a content window rounded
to a multiple of 200px x 100px to prevent fingerprinting the screen
dimensions. The strategy here is to put all users in a couple of buckets
to make it harder to single them out. That worked so far until users
started to resize their windows (e.g. by maximizing them or going into
fullscreen mode). Tor Browser 9 ships with a fingerprinting defense for
those scenarios as well, which is called Letterboxing [7], a technique
developed by Mozilla and presented earlier this year [8]. It works by
adding white margins to a browser window so that the window is as close
as possible to the desired size while users are still in a couple of
screen size buckets that prevent singling them out with the help of
screen dimensions.
7: https://en.wikipedia.org/wiki/Letterboxing_(filming)
8: https://www.zdnet.com/article/firefox-to-add-tor-browser-anti-fingerprintin…
_Better Localization Support_
If we want all people around the world to be able to use our software,
then we need to make sure it's speaking their language. Since 8.0 [9],
Tor Browser has been available in 25 languages and we added 5 locales
more in Tor Browser 8.5. Today, we add support for two additional
languages: Macedonian (mk) and Romanian (ro), bringing the number of
supported languages to 32.
9: https://blog.torproject.org/new-release-tor-browser-80
We also fixed bugs in our previously shipped localized bundles (such as
ar and ko).
Many thanks to everyone who helped with these, in particular to our
translators [10].
10: https://blog.torproject.org/honoring-translators
_Known Issue_
As usual when preparing Tor Browser releases, we verified that the build
is bit-for-bit reproducible [11]. While we managed to get two matching
builds, we found that in some occasions the builds differ (we found this
happening on the Linux i686 [12] and macOS [13] bundles). We are still
investigating the cause of this issue to fix it.
11: https://reproducible-builds.org/
12: https://trac.torproject.org/projects/tor/ticket/32052
13: https://trac.torproject.org/projects/tor/ticket/32053
_Give Feedback_
If you find a bug or have a suggestion for how we could improve this
release, please let us know [14]. Thanks to all of the teams across
Tor [15], and the many volunteers, who contributed to this release.
14: https://support.torproject.org/misc/bug-or-feedback/
15: https://trac.torproject.org/projects/tor/wiki/org/teams
_Changelog_
The full changelog since Tor Browser 8.5.6 is:
* All Platforms
* Update Firefox to 68.2.0esr
* Bug 31740: Remove some unnecessary RemoteSettings instances
* Bug 13543: Spoof smooth and powerEfficient for Media Capabilities
* Bug 28196: about:preferences is not properly translated anymore
* Bug 19417: Disable asmjs on safer and safest security levels
* Bug 30463: Explicitly disable MOZ_TELEMETRY_REPORTING
* Bug 31935: Disable profile downgrade protection
* Bug 16285: Disable DRM/EME on Android and drop Adobe CDM
* Bug 31602: Remove Pocket indicators in UI and disable it
* Bug 31914: Fix eslint linter error
* Bug 30429: Rebase patches for Firefox 68 ESR
* Bug 31144: Review network code changes for Firefox 68 ESR
* Bug 10760: Integrate Torbutton into Tor Browser directly
* Bug 25856: Remove XUL overlays from Torbutton
* Bug 31322: Fix about:tor assertion failure debug builds
* Bug 29430: Add support for meek_lite bridges to bridgeParser
* Bug 28561: Migrate "About Tor Browser" dialog to tor-browser
* Bug 30683: Prevent detection of locale via some *.properties
* Bug 31298: Backport patch for #24056
* Bug 9336: Odd wyswig schemes without isolation for browserspy.dk
* Bug 27601: Browser notifications are not working anymore
* Bug 30845: Make sure internal extensions are enabled
* Bug 28896: Enable extensions in private browsing by default
* Bug 31563: Reload search extensions if extensions.enabledScopes has changed
* Bug 31396: Fix communication with NoScript for security settings
* Bug 31142: Fix crash of tab and messing with about:newtab
* Bug 29049: Backport JS Poison Patch
* Bug 25214: Canvas data extraction on locale pdf file should be allowed
* Bug 30657: Locale is leaked via title of link tag on non-html page
* Bug 31015: Disabling SVG hides UI icons in extensions
* Bug 30681: Set security.enterprise_roots.enabled to false
* Bug 30538: Unable to comment on The Independent Newspaper
* Bug 31209: View PDF in Tor Browser is fuzzy
* Translations update
* Windows + OS X + Linux
* Update Tor to 0.4.1.6
* Update OpenSSL to 1.1.1d
* Bug 31844: OpenSSL 1.1.1d fails to compile for some platforms/architectures
* Update Tor Launcher to 0.2.20.1
* Bug 28044: Integrate Tor Launcher into tor-browser
* Bug 32154: Custom bridge field only allows one line of input
* Bug 31286: New strings for about:preferences#tor
* Bug 31303: Do not launch tor in browser toolbox
* Bug 32112: Fix bad & escaping in translations
* Bug 31491: Clean up the old meek http helper browser profiles
* Bug 29197: Remove use of overlays
* Bug 31300: Modify Tor Launcher so it is compatible with ESR68
* Bug 31487: Modify moat client code so it is compatible with ESR68
* Bug 31488: Moat: support a comma-separated list of transports
* Bug 30468: Add mk locale
* Bug 30469: Add ro locale
* Bug 30319: Remove FTE bits
* Translations update
* Bug 32092: Fix Tor Browser Support link in preferences
* Bug 32111: Fixed issue parsing user-provided bridge strings
* Bug 31749: Fix security level panel spawning events
* Bug 31920: Fix Security Level panel when its toolbar button moves to overflow
* Bug 31748+31961: Fix 'Learn More' links in Security Level preferences and panel
* Bug 28044: Integrate Tor Launcher into tor-browser
* Bug 31059: Enable Letterboxing
* Bug 30468: Add mk locale
* Bug 30469: Add ro locale
* Bug 29430: Use obfs4proxy's meek_lite with utls instead of meek
* Bug 31251: Security Level button UI polish
* Bug 31344: Register SecurityLevelPreference's 'unload' callback
* Bug 31286: Provide network settings on about:preferences#tor
* Bug 31886: Fix ko bundle bustage
* Bug 31768: Update onboarding for Tor Browser 9
* Bug 27511: Add new identity button to toolbar
* Bug 31778: Support dark-theme for the Circuit Display UI
* Bug 31910: Replace meek_lite with meek in circuit display
* Bug 30504: Deal with New Identity related browser console errors
* Bug 31929: Don't escape DTD entity in ar
* Bug 31747: Some onboarding UI is always shown in English
* Bug 32041: Replace = with real hamburguer icon ≡
* Bug 30304: Browser locale can be obtained via DTD strings
* Bug 31065: Set network.proxy.allow_hijacking_localhost to true
* Bug 24653: Merge securityLevel.properties into torbutton.dtd
* Bug 31164: Set up default bridge at Karlstad University
* Bug 15563: Disable ServiceWorkers on all platforms
* Bug 31598: Disable warning on window resize if letterboxing is enabled
* Bug 31562: Fix circuit display for error pages
* Bug 31575: Firefox is phoning home during start-up
* Bug 31491: Clean up the old meek http helper browser profiles
* Bug 26345: Hide tracking protection UI
* Bug 31601: Disable recommended extensions again
* Bug 30662: Don't show Firefox Home when opening new tabs
* Bug 31457: Disable per-installation profiles
* Bug 28822: Re-implement desktop onboarding for ESR 68
* Windows
* Bug 31942: Re-enable signature check for language packs
* Bug 29013: Enable stack protection for Firefox on Windows
* Bug 30800: ftp:// on Windows can be used to leak the system time zone
* Bug 31547: Back out patch for Mozilla's bug 1574980
* Bug 31141: Fix typo in font.system.whitelist
* Bug 30319: Remove FTE bits
* OS X
* Bug 30126: Make Tor Browser compatible with macOS 10.15
* Bug 31607: App menu items stop working on macOS
* Bug 31955: On macOS avoid throwing inside nonBrowserWindowStartup()
* Bug 29818: Adapt #13379 patch for 68esr
* Bug 31464: Meek and moat are broken on macOS 10.9 with Go 1.12
* Linux
* Bug 31942: Re-enable signature check for language packs
* Bug 31646: Update abicheck to require newer libstdc++.so.6
* Bug 31968: Don't fail if /proc/cpuinfo is not readable
* Bug 24755: Stop using a heredoc in start-tor-browser
* Bug 31550: Put curly quotes inside single quotes
* Bug 31394: Replace "-1" with "−1" in start-tor-browser.desktop
* Bug 30319: Remove FTE bits
* Android
* Update Tor to 0.4.1.5
* Bug 31010: Rebase mobile patches for Fennec 68
* Bug 31010: Don't use addTrustedTab() on mobile
* Bug 30607: Support Tor Browser running on Android Q
* Bug 31192: Support x86_64 target on Android
* Bug 30380: Cancel dormant by startup
* Bug 30943: Show version number on mobile
* Bug 31720: Enable website suggestions in address bar
* Bug 31822: Security slider is not really visible on Android anymore
* Bug 24920: Only create Private tabs in permanent Private Browsing Mode
* Bug 31730: Revert aarch64-workaround against JIT-related crashes
* Bug 32097: Fix conflicts in mobile onboarding while rebasing to 68.2.0esr
* Build System
* All Platforms
* Bug 30585: Provide standalone clang 8 project across all platforms
* Bug 30376: Use Rust 1.34 for Tor Browser 9
* Bug 30490: Add cbindgen project for building Firefox 68 ESR/Fennec 68
* Bug 30701: Add nodejs project for building Firefox 68 ESR/Fennec 68
* Bug 31621: Fix node bug that makes large writes to stdout fail
* Bug 30734: Add nasm project for building Firefox 68 ESR/Fennec 68
* Bug 31293: Make sure the lo interface inside the containers is up
* Bug 27493: Clean up mozconfig options
* Bug 31308: Sync mozconfig files used in tor-browser over to tor-browser-build for esr68
* Windows
* Bug 29307: Use Stretch for cross-compiling for Windows
* Bug 29731: Remove faketime for Windows builds
* Bug 30322: Windows toolchain update for Firefox 68 ESR
* Bug 28716: Create mingw-w64-clang toolchain
* Bug 28238: Adapt firefox and fxc2 projects for Windows builds
* Bug 28716: Optionally omit timestamp in PE header
* Bug 31567: NS_tsnprintf() does not handle %s correctly on Windows
* Bug 31458: Revert patch for #27503 and bump mingw-w64 revision used
* Bug 9898: Provide clean fix for strcmpi issue in NSPR
* Bug 29013: Enable stack protection support for Firefox on Windows
* Bug 30384: Use 64bit containers to build 32bit Windows Tor Browser
* Bug 31538: Windows bundles based on ESR 68 are not built reproducibly
* Bug 31584: Clean up mingw-w64 project
* Bug 31596: Bump mingw-w64 version to pick up fix for #31567
* Bug 29187: Bump NSIS version to 3.04
* Bug 31732: Windows nightly builds are busted due to mingw-w64 commit bump
* Bug 29319: Remove FTE support for Windows
* OS X
* Bug 30323: MacOS toolchain update for Firefox 68 ESR
* Bug 31467: Switch to clang for cctools project
* Bug 31465: Adapt tor-browser-build projects for macOS notarization
* Linux
* Bug 31448: gold and lld break linking 32bit Linux bundles
* Bug 31618: Linux32 builds of Tor Browser 9.0a6 are not matching
* Bug 31450: Still use GCC for our ASan builds
* Bug 30321: Linux toolchain update for Firefox ESR 68
* Bug 30736: Install yasm from wheezy-backports
* Bug 31447: Don't install Python just for Mach
* Bug 30448: Strip Browser/gtk2/libmozgtk.so
* Android
* Bug 30324: Android toolchain update for Fennec 68
* Bug 31173: Update android-toolchain project to match Firefox
* Bug 31389: Update Android Firefox to build with Clang
* Bug 31388: Update Rust project for Android
* Bug 30665: Get Firefox 68 ESR working with latest android toolchain
* Bug 30460: Update TOPL project to use Firefox 68 toolchain
* Bug 30461: Update tor-android-service project to use Firefox 68 toolchain
* Bug 28753: Use Gradle with --offline when building the browser part
* Bug 31564: Make Android bundles based on ESR 68 reproducible
* Bug 31981: Remove require-api.patch
* Bug 31979: TOPL: Sort dependency list
* Bug 30665: Remove unnecessary build patches for Firefox
1
0
Hello, everyone!
(If you are about to reply saying "please take me off this list",
instead please follow these instructions:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/
. If you have trouble, it is probably because you subscribed using a
different address than the one you are trying to unsubscribe with. You
will have to enter the actual email address you used when you
subscribed.)
Source code for Tor 0.4.1.6 is now available; you can download the
source code from the usual place on the website, at
https://www.torproject.org/download/tor/ . Packages should be
available within the next several weeks, with a new Tor Browser in the
next week or two.
Changes in version 0.4.1.6 - 2019-09-19
This release backports several bugfixes to improve stability and
correctness. Anyone experiencing build problems or crashes with 0.4.1.5,
or experiencing reliability issues with single onion services, should
upgrade.
o Major bugfixes (crash, Linux, Android, backport from 0.4.2.1-alpha):
- Tolerate systems (including some Android installations) where
madvise and MADV_DONTDUMP are available at build-time, but not at
run time. Previously, these systems would notice a failed syscall
and abort. Fixes bug 31570; bugfix on 0.4.1.1-alpha.
- Tolerate systems (including some Linux installations) where
madvise and/or MADV_DONTFORK are available at build-time, but not
at run time. Previously, these systems would notice a failed
syscall and abort. Fixes bug 31696; bugfix on 0.4.1.1-alpha.
o Minor features (stem tests, backport from 0.4.2.1-alpha):
- Change "make test-stem" so it only runs the stem tests that use
tor. This change makes test-stem faster and more reliable. Closes
ticket 31554.
o Minor bugfixes (build system, backport form 0.4.2.1-alpha):
- Do not include the deprecated <sys/sysctl.h> on Linux or Windows
systems. Fixes bug 31673; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (compilation, backport from 0.4.2.1-alpha):
- Add more stub functions to fix compilation on Android with link-
time optimization when --disable-module-dirauth is used.
Previously, these compilation settings would make the compiler
look for functions that didn't exist. Fixes bug 31552; bugfix
on 0.4.1.1-alpha.
- Suppress spurious float-conversion warnings from GCC when calling
floating-point classifier functions on FreeBSD. Fixes part of bug
31687; bugfix on 0.3.1.5-alpha.
o Minor bugfixes (controller protocol):
- Fix the MAPADDRESS controller command to accept one or more
arguments. Previously, it required two or more arguments, and ignored
the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (guards, backport from 0.4.2.1-alpha):
- When tor is missing descriptors for some primary entry guards,
make the log message less alarming. It's normal for descriptors to
expire, as long as tor fetches new ones soon after. Fixes bug
31657; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (logging, backport from 0.4.2.1-alpha):
- Change log level of message "Hash of session info was not as
expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix
on 0.1.1.10-alpha.
o Minor bugfixes (rust, backport from 0.4.2.1-alpha):
- Correctly exclude a redundant rust build job in Travis. Fixes bug
31463; bugfix on 0.3.5.4-alpha.
o Minor bugfixes (v2 single onion services, backport from 0.4.2.1-alpha):
- Always retry v2 single onion service intro and rend circuits with
a 3-hop path. Previously, v2 single onion services used a 3-hop
path when rendezvous circuits were retried after a remote or
delayed failure, but a 1-hop path for immediate retries. Fixes bug
23818; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (v3 single onion services, backport from 0.4.2.1-alpha):
- Always retry v3 single onion service intro and rend circuits with
a 3-hop path. Previously, v3 single onion services used a 3-hop
path when rend circuits were retried after a remote or delayed
failure, but a 1-hop path for immediate retries. Fixes bug 23818;
bugfix on 0.3.2.1-alpha.
- Make v3 single onion services fall back to a 3-hop intro, when all
intro points are unreachable via a 1-hop path. Previously, v3
single onion services failed when all intro nodes were unreachable
via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha.
o Documentation (backport from 0.4.2.1-alpha):
- Use RFC 2397 data URL scheme to embed an image into tor-exit-
notice.html so that operators no longer have to host it
themselves. Closes ticket 31089.
1
0
Tor Browser for Android 8.5.6 is now available from the Tor Browser
Download page [1] and also from our distribution directory [2]. This
version is for Android only, the latest version for Linux, macOS and
Windows is still 8.5.5 [3].
1: https://www.torproject.org/download/#android
2: https://www.torproject.org/dist/torbrowser/8.5.6/
3: https://blog.torproject.org/new-release-tor-browser-855
This update is fixing an issue with the aarch64 version, mostly on
Android 9 [4] which was causing a crash on every launch.
4: https://trac.torproject.org/projects/tor/ticket/31616
Note: Due to some issue with Google Play's new requirement for 64bit
versions [5], we have not yet been able to publish the Android x86 and
x86_64 versions on Google Play. We plan to fix this in the next release.
In the meantime the x86 version can be downloaded from our website [6].
5: https://developer.android.com/distribute/best-practices/develop/64-bit
6: https://www.torproject.org/download/#android
The full changelog since Tor Browser 8.5.5 is:
* Android
* Update Torbutton to 2.1.14
* Bug 31616: Fix JIT related crashes on aarch64
1
0
Tor Browser 8.5.5 is now available from the Tor Browser Download page [1]
and also from our distribution directory [2].
1: https://www.torproject.org/download/
2: https://www.torproject.org/dist/torbrowser/8.5.5/
This release features important security updates [3] to Firefox.
3: https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/
This release is updating Firefox to 60.9.0esr, Tor to 0.4.1.5 [4], and
NoScript to 11.0.3. This release also includes various bug fixes. On
the Windows side, we should now have support for accessibility tools [5].
On the Android side, we added support for arm64-v8a devices [6].
4: https://blog.torproject.org/new-release-tor-0415
5: https://trac.torproject.org/projects/tor/ticket/27503
6: https://trac.torproject.org/projects/tor/ticket/28119
This is expected to be the last release in the 8.5 series: on October 22
we will switch to the 9.0 series, based on Firefox 68ESR.
Note 1: Due to some issue with Google Play's new requirement for 64bit
versions [7], we have not yet been able to publish the Android x86 and
x86_64 versions on Google Play. We hope to be able to fix this in the
next days. In the meantime the x86 version can be downloaded from our
website [8].
7: https://developer.android.com/distribute/best-practices/develop/64-bit
8: https://www.torproject.org/download/#android
Note 2: There is an issue with the aarch64 version on Android 9 [9]
causing a crash on every launch. We are working on a fix for this issue.
9: https://trac.torproject.org/projects/tor/ticket/31616
The full changelog since Tor Browser 8.5.4 is:
* All platforms
* Update Firefox to 60.9.0esr
* Update Torbutton to 2.1.13
* Bug 31520: Remove monthly giving banner from Tor Browser
* Bug 31140: Do not enable IonMonkey on AARCH64
* Translations update
* Update NoScript to 11.0.3
* Bug 26847: NoScript pops up a full-site window for XSS warning
* Bug 31287: NoScript leaks browser locale
* Bug 31357: Retire Tom's default obfs4 bridge
* Windows + OS X + Linux
* Update Tor to 0.4.1.5
* Windows
* Bug 31547: Back out patch for Mozilla's bug 1574980
* Bug 27503: Provide full support for accessibility tools
* Bug 30575: Don't allow enterprise policies in Tor Browser
* Bug 31141: Fix typo in font.system.whitelist
* Android
* Bug 28119: Tor Browser for aarch64
* Build System
* All platforms
* Bug 31465: Bump Go to 1.12.9
1
0
Hello, everyone!
(If you are about to reply saying "please take me off this list",
instead please follow these instructions:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/
. If you have trouble, it is probably because you subscribed using a
different address than the one you are trying to unsubscribe with. You
will have to enter the actual email address you used when you
subscribed.)
After months of work, Tor 0.4.1.5 is now available! This is the first
stable release in the 0.4.1 series, and we hope you find it useful.
You can download the source code from the usual place on the website
(https://www.torproject.org/download/tor/ ). Packages should be
available within the next several weeks, with a new Tor Browser in
early September.
Here are all the changes since 0.4.0.5:
Changes in version 0.4.1.5 - 2019-08-20
This is the first stable release in the 0.4.1.x series. This series
adds experimental circuit-level padding, authenticated SENDME cells to
defend against certain attacks, and several performance improvements
to save on CPU consumption. It fixes bugs in bootstrapping and v3
onion services. It also includes numerous smaller features and
bugfixes on earlier versions.
Per our support policy, we will support the 0.4.1.x series for nine
months, or until three months after the release of a stable 0.4.2.x:
whichever is longer. If you need longer-term support, please stick
with 0.3.5.x, which will we plan to support until Feb 2022.
Below are the changes since 0.4.0.5. For a list of only the changes
since 0.4.1.4-rc, see the ChangeLog file.
o Directory authority changes:
- The directory authority "dizum" has a new IP address. Closes
ticket 31406.
o Major features (circuit padding):
- Onion service clients now add padding cells at the start of their
INTRODUCE and RENDEZVOUS circuits, to make those circuits' traffic
look more like general purpose Exit traffic. The overhead for this
is 2 extra cells in each direction for RENDEZVOUS circuits, and 1
extra upstream cell and 10 downstream cells for INTRODUCE
circuits. This feature is only enabled when also supported by the
circuit's middle node. (Clients may specify fixed middle nodes
with the MiddleNodes option, and may force-disable this feature
with the CircuitPadding option.) Closes ticket 28634.
o Major features (code organization):
- Tor now includes a generic publish-subscribe message-passing
subsystem that we can use to organize intermodule dependencies. We
hope to use this to reduce dependencies between modules that don't
need to be related, and to generally simplify our codebase. Closes
ticket 28226.
o Major features (controller protocol):
- Controller commands are now parsed using a generalized parsing
subsystem. Previously, each controller command was responsible for
parsing its own input, which led to strange inconsistencies.
Closes ticket 30091.
o Major features (flow control):
- Implement authenticated SENDMEs as detailed in proposal 289. A
SENDME cell now includes the digest of the traffic that it
acknowledges, so that once an end point receives the SENDME, it
can confirm the other side's knowledge of the previous cells that
were sent, and prevent certain types of denial-of-service attacks.
This behavior is controlled by two new consensus parameters: see
the proposal for more details. Fixes ticket 26288.
o Major features (performance):
- Our node selection algorithm now excludes nodes in linear time.
Previously, the algorithm was quadratic, which could slow down
heavily used onion services. Closes ticket 30307.
o Major features (performance, RNG):
- Tor now constructs a fast secure pseudorandom number generator for
each thread, to use when performance is critical. This PRNG is
based on AES-CTR, using a buffering construction similar to
libottery and the (newer) OpenBSD arc4random() code. It
outperforms OpenSSL 1.1.1a's CSPRNG by roughly a factor of 100 for
small outputs. Although we believe it to be cryptographically
strong, we are only using it when necessary for performance.
Implements tickets 29023 and 29536.
o Major bugfixes (bridges):
- Consider our directory information to have changed when our list
of bridges changes. Previously, Tor would not re-compute the
status of its directory information when bridges changed, and
therefore would not realize that it was no longer able to build
circuits. Fixes part of bug 29875.
- Do not count previously configured working bridges towards our
total of working bridges. Previously, when Tor's list of bridges
changed, it would think that the old bridges were still usable,
and delay fetching router descriptors for the new ones. Fixes part
of bug 29875; bugfix on 0.3.0.1-alpha.
o Major bugfixes (circuit build, guard):
- When considering upgrading circuits from "waiting for guard" to
"open", always ignore circuits that are marked for close. Otherwise,
we can end up in the situation where a subsystem is notified that
a closing circuit has just opened, leading to undesirable
behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha.
o Major bugfixes (onion service reachability):
- Properly clean up the introduction point map when circuits change
purpose from onion service circuits to pathbias, measurement, or
other circuit types. This should fix some service-side instances
of introduction point failure. Fixes bug 29034; bugfix
on 0.3.2.1-alpha.
o Major bugfixes (onion service v3):
- Fix an unreachable bug in which an introduction point could try to
send an INTRODUCE_ACK with a status code that Trunnel would refuse
to encode, leading the relay to assert(). We've consolidated the
ABI values into Trunnel now. Fixes bug 30454; bugfix
on 0.3.0.1-alpha.
- Clients can now handle unknown status codes from INTRODUCE_ACK
cells. (The NACK behavior will stay the same.) This will allow us
to extend status codes in the future without breaking the normal
client behavior. Fixes another part of bug 30454; bugfix
on 0.3.0.1-alpha.
o Minor features (authenticated SENDME):
- Ensure that there is enough randomness on every circuit to prevent
an attacker from successfully predicting the hashes they will need
to include in authenticated SENDME cells. At a random interval, if
we have not sent randomness already, we now leave some extra space
at the end of a cell that we can fill with random bytes. Closes
ticket 26846.
o Minor features (circuit padding logging):
- Demote noisy client-side warn logs about circuit padding to protocol
warnings. Add additional log messages and circuit ID fields to help
with bug 30992 and any other future issues.
o Minor features (circuit padding):
- We now use a fast PRNG when scheduling circuit padding. Part of
ticket 28636.
- Allow the padding machine designer to pick the edges of their
histogram instead of trying to compute them automatically using an
exponential formula. Resolves some undefined behavior in the case
of small histograms and allows greater flexibility on machine
design. Closes ticket 29298; bugfix on 0.4.0.1-alpha.
- Allow circuit padding machines to hold a circuit open until they
are done padding it. Closes ticket 28780.
o Minor features (compile-time modules):
- Add a "--list-modules" command to print a list of which compile-
time modules are enabled. Closes ticket 30452.
o Minor features (continuous integration):
- Our Travis configuration now uses Chutney to run some network
integration tests automatically. Closes ticket 29280.
- When running coverage builds on Travis, we now set
TOR_TEST_RNG_SEED, to avoid RNG-based coverage differences. Part
of ticket 28878.
- Remove sudo configuration lines from .travis.yml as they are no
longer needed with current Travis build environment. Resolves
issue 30213.
- In Travis, show stem's tor log after failure. Closes ticket 30234.
o Minor features (controller):
- Add onion service version 3 support to the HSFETCH command.
Previously, only version 2 onion services were supported. Closes
ticket 25417. Patch by Neel Chauhan.
o Minor features (debugging):
- Introduce tor_assertf() and tor_assertf_nonfatal() to enable
logging of additional information during assert failure. Now we
can use format strings to include information for trouble
shooting. Resolves ticket 29662.
o Minor features (defense in depth):
- In smartlist_remove_keeporder(), set unused pointers to NULL, in
case a bug causes them to be used later. Closes ticket 30176.
Patch from Tobias Stoeckmann.
- Tor now uses a cryptographically strong PRNG even for decisions
that we do not believe are security-sensitive. Previously, for
performance reasons, we had used a trivially predictable linear
congruential generator algorithm for certain load-balancing and
statistical sampling decisions. Now we use our fast RNG in those
cases. Closes ticket 29542.
o Minor features (developer tools):
- Tor's "practracker" test script now checks for files and functions
that seem too long and complicated. Existing overlong functions
and files are accepted for now, but should eventually be
refactored. Closes ticket 29221.
- Add some scripts used for git maintenance to scripts/git. Closes
ticket 29391.
- Call practracker from pre-push and pre-commit git hooks to let
developers know if they made any code style violations. Closes
ticket 30051.
- Add a script to check that each header has a well-formed and
unique guard macro. Closes ticket 29756.
o Minor features (fallback directory list):
- Replace the 157 fallbacks originally introduced in Tor 0.3.5.6-rc
in December 2018 (of which ~122 were still functional), with a
list of 148 fallbacks (70 new, 78 existing, 79 removed) generated
in June 2019. Closes ticket 28795.
o Minor features (geoip):
- Update geoip and geoip6 to the June 10 2019 Maxmind GeoLite2
Country database. Closes ticket 30852.
- Update geoip and geoip6 to the May 13 2019 Maxmind GeoLite2
Country database. Closes ticket 30522.
o Minor features (HTTP tunnel):
- Return an informative web page when the HTTPTunnelPort is used as
an HTTP proxy. Closes ticket 27821, patch by "eighthave".
o Minor features (IPv6, v3 onion services):
- Make v3 onion services put IPv6 addresses in service descriptors.
Before this change, service descriptors only contained IPv4
addresses. Implements 26992.
o Minor features (logging):
- Give a more useful assertion failure message if we think we have
minherit() but we fail to make a region non-inheritable. Give a
compile-time warning if our support for minherit() is incomplete.
Closes ticket 30686.
o Minor features (maintenance):
- Add a new "make autostyle" target that developers can use to apply
all automatic Tor style and consistency conversions to the
codebase. Closes ticket 30539.
o Minor features (modularity):
- The "--disable-module-dirauth" compile-time option now disables
even more dirauth-only code. Closes ticket 30345.
o Minor features (performance):
- Use OpenSSL's implementations of SHA3 when available (in OpenSSL
1.1.1 and later), since they tend to be faster than tiny-keccak.
Closes ticket 28837.
o Minor features (testing):
- The circuitpadding tests now use a reproducible RNG implementation,
so that if a test fails, we can learn why. Part of ticket 28878.
- Tor's tests now support an environment variable, TOR_TEST_RNG_SEED,
to set the RNG seed for tests that use a reproducible RNG. Part of
ticket 28878.
- When running tests in coverage mode, take additional care to make
our coverage deterministic, so that we can accurately track
changes in code coverage. Closes ticket 30519.
- Tor's unit test code now contains helper functions to replace the
PRNG with a deterministic or reproducible version for testing.
Previously, various tests implemented this in various ways.
Implements ticket 29732.
- We now have a script, cov-test-determinism.sh, to identify places
where our unit test coverage has become nondeterministic. Closes
ticket 29436.
- Check that representative subsets of values of `int` and `unsigned
int` can be represented by `void *`. Resolves issue 29537.
o Minor bugfixes (bridge authority):
- Bridge authorities now set bridges as running or non-running when
about to dump their status to a file. Previously, they set bridges
as running in response to a GETINFO command, but those shouldn't
modify data structures. Fixes bug 24490; bugfix on 0.2.0.13-alpha.
Patch by Neel Chauhan.
o Minor bugfixes (channel padding statistics):
- Channel padding write totals and padding-enabled totals are now
counted properly in relay extrainfo descriptors. Fixes bug 29231;
bugfix on 0.3.1.1-alpha.
o Minor bugfixes (circuit isolation):
- Fix a logic error that prevented the SessionGroup sub-option from
being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (circuit padding):
- Add a "CircuitPadding" torrc option to disable circuit padding.
Fixes bug 28693; bugfix on 0.4.0.1-alpha.
- Allow circuit padding machines to specify that they do not
contribute much overhead, and provide consensus flags and torrc
options to force clients to only use these low overhead machines.
Fixes bug 29203; bugfix on 0.4.0.1-alpha.
- Provide a consensus parameter to fully disable circuit padding, to
be used in emergency network overload situations. Fixes bug 30173;
bugfix on 0.4.0.1-alpha.
- The circuit padding subsystem will no longer schedule padding if
dormant mode is enabled. Fixes bug 28636; bugfix on 0.4.0.1-alpha.
- Inspect a circuit-level cell queue before sending padding, to
avoid sending padding while too much data is already queued. Fixes
bug 29204; bugfix on 0.4.0.1-alpha.
- Avoid calling monotime_absolute_usec() in circuit padding machines
that do not use token removal or circuit RTT estimation. Fixes bug
29085; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (clock skew detection):
- Don't believe clock skew results from NETINFO cells that appear to
arrive before we sent the VERSIONS cells they are responding to.
Previously, we would accept them up to 3 minutes "in the past".
Fixes bug 31343; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (compatibility, standards compliance):
- Fix a bug that would invoke undefined behavior on certain
operating systems when trying to asprintf() a string exactly
INT_MAX bytes long. We don't believe this is exploitable, but it's
better to fix it anyway. Fixes bug 31001; bugfix on 0.2.2.11-alpha.
Found and fixed by Tobias Stoeckmann.
o Minor bugfixes (compilation warning):
- Fix a compilation warning on Windows about casting a function
pointer for GetTickCount64(). Fixes bug 31374; bugfix on
0.2.9.1-alpha.
o Minor bugfixes (compilation):
- Avoid using labs() on time_t, which can cause compilation warnings
on 64-bit Windows builds. Fixes bug 31343; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (compilation, unusual configurations):
- Avoid failures when building with the ALL_BUGS_ARE_FATAL option
due to missing declarations of abort(), and prevent other such
failures in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (configuration, proxies):
- Fix a bug that prevented us from supporting SOCKS5 proxies that
want authentication along with configured (but unused!)
ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha.
o Minor bugfixes (continuous integration):
- Allow the test-stem job to fail in Travis, because it sometimes
hangs. Fixes bug 30744; bugfix on 0.3.5.4-alpha.
- Skip test_rebind on macOS in Travis, because it is unreliable on
macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha.
- Skip test_rebind when the TOR_SKIP_TEST_REBIND environment
variable is set. Fixes bug 30713; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (controller protocol):
- Teach the controller parser to distinguish an object preceded by
an argument list from one without. Previously, it couldn't
distinguish an argument list from the first line of a multiline
object. Fixes bug 29984; bugfix on 0.2.3.8-alpha.
o Minor bugfixes (crash on exit):
- Avoid a set of possible code paths that could try to use freed
memory in routerlist_free() while Tor was exiting. Fixes bug
31003; bugfix on 0.1.2.2-alpha.
o Minor bugfixes (developer tooling):
- Fix pre-push hook to allow fixup and squash commits when pushing
to non-upstream git remote. Fixes bug 30286; bugfix
on 0.4.0.1-alpha.
o Minor bugfixes (directory authorities):
- Stop crashing after parsing an unknown descriptor purpose
annotation. We think this bug can only be triggered by modifying a
local file. Fixes bug 30781; bugfix on 0.2.0.8-alpha.
- Move the "bandwidth-file-headers" line in directory authority
votes so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix
on 0.3.5.1-alpha.
- Directory authorities with IPv6 support now always mark themselves
as reachable via IPv6. Fixes bug 24338; bugfix on 0.2.4.1-alpha.
Patch by Neel Chauhan.
o Minor bugfixes (documentation):
- Improve the documentation for using MapAddress with ".exit". Fixes
bug 30109; bugfix on 0.1.0.1-rc.
- Improve the monotonic time module and function documentation to
explain what "monotonic" actually means, and document some results
that have surprised people. Fixes bug 29640; bugfix
on 0.2.9.1-alpha.
- Use proper formatting when providing an example on quoting options
that contain whitespace. Fixes bug 29635; bugfix on 0.2.3.18-rc.
o Minor bugfixes (logging):
- Do not log a warning when running with an OpenSSL version other
than the one Tor was compiled with, if the two versions should be
compatible. Previously, we would warn whenever the version was
different. Fixes bug 30190; bugfix on 0.2.4.2-alpha.
- Warn operators when the MyFamily option is set but ContactInfo is
missing, as the latter should be set too. Fixes bug 25110; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (memory leaks):
- Avoid a minor memory leak that could occur on relays when failing
to create a "keys" directory. Fixes bug 30148; bugfix
on 0.3.3.1-alpha.
- Fix a trivial memory leak when parsing an invalid value from a
download schedule in the configuration. Fixes bug 30894; bugfix
on 0.3.4.1-alpha.
o Minor bugfixes (NetBSD):
- Fix usage of minherit() on NetBSD and other platforms that define
MAP_INHERIT_{ZERO,NONE} instead of INHERIT_{ZERO,NONE}. Fixes bug
30614; bugfix on 0.4.0.2-alpha. Patch from Taylor Campbell.
o Minor bugfixes (onion services):
- Avoid a GCC 9.1.1 warning (and possible crash depending on libc
implemenation) when failing to load an onion service client
authorization file. Fixes bug 30475; bugfix on 0.3.5.1-alpha.
- When refusing to launch a controller's HSFETCH request because of
rate-limiting, respond to the controller with a new response,
"QUERY_RATE_LIMITED". Previously, we would log QUERY_NO_HSDIR for
this case. Fixes bug 28269; bugfix on 0.3.1.1-alpha. Patch by
Neel Chauhan.
- When relaunching a circuit to a rendezvous service, mark the
circuit as needing high-uptime routers as appropriate. Fixes bug
17357; bugfix on 0.1.0.1-rc. Patch by Neel Chauhan.
- Stop ignoring IPv6 link specifiers sent to v3 onion services.
(IPv6 support for v3 onion services is still incomplete: see
ticket 23493 for details.) Fixes bug 23588; bugfix on
0.3.2.1-alpha. Patch by Neel Chauhan.
o Minor bugfixes (onion services, performance):
- When building circuits to onion services, call tor_addr_parse()
less often. Previously, we called tor_addr_parse() in
circuit_is_acceptable() even if its output wasn't used. This
change should improve performance when building circuits. Fixes
bug 22210; bugfix on 0.2.8.12. Patch by Neel Chauhan.
o Minor bugfixes (out-of-memory handler):
- When purging the DNS cache because of an out-of-memory condition,
try purging just the older entries at first. Previously, we would
always purge the whole thing. Fixes bug 29617; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (performance):
- When checking whether a node is a bridge, use a fast check to make
sure that its identity is set. Previously, we used a constant-time
check, which is not necessary in this case. Fixes bug 30308;
bugfix on 0.3.5.1-alpha.
o Minor bugfixes (pluggable transports):
- Tor now sets TOR_PT_EXIT_ON_STDIN_CLOSE=1 for client transports as
well as servers. Fixes bug 25614; bugfix on 0.2.7.1-alpha.
o Minor bugfixes (portability):
- Avoid crashing in our tor_vasprintf() implementation on systems
that define neither vasprintf() nor _vscprintf(). (This bug has
been here long enough that we question whether people are running
Tor on such systems, but we're applying the fix out of caution.)
Fixes bug 30561; bugfix on 0.2.8.2-alpha. Found and fixed by
Tobias Stoeckmann.
o Minor bugfixes (probability distributions):
- Refactor and improve parts of the probability distribution code
that made Coverity complain. Fixes bug 29805; bugfix
on 0.4.0.1-alpha.
o Minor bugfixes (python):
- Stop assuming that /usr/bin/python3 exists. For scripts that work
with python2, use /usr/bin/python. Otherwise, use /usr/bin/env
python3. Fixes bug 29913; bugfix on 0.2.5.3-alpha.
o Minor bugfixes (relay):
- When running as a relay, if IPv6Exit is set to 1 while ExitRelay
is auto, act as if ExitRelay is 1. Previously, we would ignore
IPv6Exit if ExitRelay was 0 or auto. Fixes bug 29613; bugfix on
0.3.5.1-alpha. Patch by Neel Chauhan.
o Minor bugfixes (static analysis):
- Fix several spurious Coverity warnings about the unit tests, to
lower our chances of missing real warnings in the future. Fixes
bug 30150; bugfix on 0.3.5.1-alpha and various other Tor versions.
o Minor bugfixes (stats):
- When ExtraInfoStatistics is 0, stop including bandwidth usage
statistics, GeoIPFile hashes, ServerTransportPlugin lines, and
bridge statistics by country in extra-info documents. Fixes bug
29018; bugfix on 0.2.4.1-alpha.
o Minor bugfixes (testing):
- Call setrlimit() to disable core dumps in test_bt_cl.c. Previously
we used `ulimit -c` in test_bt.sh, which violates POSIX shell
compatibility. Fixes bug 29061; bugfix on 0.3.5.1-alpha.
- Fix some incorrect code in the v3 onion service unit tests. Fixes
bug 29243; bugfix on 0.3.2.1-alpha.
- In the "routerkeys/*" tests, check the return values of mkdir()
for possible failures. Fixes bug 29939; bugfix on 0.2.7.2-alpha.
Found by Coverity as CID 1444254.
- Split test_utils_general() into several smaller test functions.
This makes it easier to perform resource deallocation on assert
failure, and fixes Coverity warnings CID 1444117 and CID 1444118.
Fixes bug 29823; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (tor-resolve):
- Fix a memory leak in tor-resolve that could happen if Tor gave it
a malformed SOCKS response. (Memory leaks in tor-resolve don't
actually matter, but it's good to fix them anyway.) Fixes bug
30151; bugfix on 0.4.0.1-alpha.
o Code simplification and refactoring:
- Abstract out the low-level formatting of replies on the control
port. Implements ticket 30007.
- Add several assertions in an attempt to fix some Coverity
warnings. Closes ticket 30149.
- Introduce a connection_dir_buf_add() helper function that checks
for compress_state of dir_connection_t and automatically writes a
string to directory connection with or without compression.
Resolves issue 28816.
- Make the base32_decode() API return the number of bytes written,
for consistency with base64_decode(). Closes ticket 28913.
- Move most relay-only periodic events out of mainloop.c into the
relay subsystem. Closes ticket 30414.
- Refactor and encapsulate parts of the codebase that manipulate
crypt_path_t objects. Resolves issue 30236.
- Refactor several places in our code that Coverity incorrectly
believed might have memory leaks. Closes ticket 30147.
- Remove redundant return values in crypto_format, and the
associated return value checks elsewhere in the code. Make the
implementations in crypto_format consistent, and remove redundant
code. Resolves ticket 29660.
- Rename tor_mem_is_zero() to fast_mem_is_zero(), to emphasize that
it is not a constant-time function. Closes ticket 30309.
- Replace hs_desc_link_specifier_t with link_specifier_t, and remove
all hs_desc_link_specifier_t-specific code. Fixes bug 22781;
bugfix on 0.3.2.1-alpha.
- Simplify v3 onion service link specifier handling code. Fixes bug
23576; bugfix on 0.3.2.1-alpha.
- Split crypto_digest.c into NSS code, OpenSSL code, and shared
code. Resolves ticket 29108.
- Split control.c into several submodules, in preparation for
distributing its current responsibilities throughout the codebase.
Closes ticket 29894.
- Start to move responsibility for knowing about periodic events to
the appropriate subsystems, so that the mainloop doesn't need to
know all the periodic events in the rest of the codebase.
Implements tickets 30293 and 30294.
o Documentation:
- Mention URLs for Travis/Appveyor/Jenkins in ReleasingTor.md.
Closes ticket 30630.
- Document how to find git commits and tags for bug fixes in
CodingStandards.md. Update some file documentation. Closes
ticket 30261.
o Removed features:
- Remove the linux-tor-prio.sh script from contrib/operator-tools
directory. Resolves issue 29434.
- Remove the obsolete OpenSUSE initscript. Resolves issue 30076.
- Remove the obsolete script at contrib/dist/tor.sh.in. Resolves
issue 30075.
o Testing:
- Specify torrc paths (with empty files) when launching tor in
integration tests; refrain from reading user and system torrcs.
Resolves issue 29702.
o Code simplification and refactoring (shell scripts):
- Clean up many of our shell scripts to fix shellcheck warnings.
These include autogen.sh (ticket 26069), test_keygen.sh (ticket
29062), test_switch_id.sh (ticket 29065), test_rebind.sh (ticket
29063), src/test/fuzz/minimize.sh (ticket 30079), test_rust.sh
(ticket 29064), torify (ticket 29070), asciidoc-helper.sh (29926),
fuzz_multi.sh (30077), fuzz_static_testcases.sh (ticket 29059),
nagios-check-tor-authority-cert (ticket 29071),
src/test/fuzz/fixup_filenames.sh (ticket 30078), test-network.sh
(ticket 29060), test_key_expiration.sh (ticket 30002),
zero_length_keys.sh (ticket 29068), and test_workqueue_*.sh
(ticket 29067).
o Testing (chutney):
- In "make test-network-all", test IPv6-only v3 single onion
services, using the chutney network single-onion-v23-ipv6-md.
Closes ticket 27251.
o Testing (continuous integration):
- In Travis, make stem log a controller trace to the console, and tail
stem's tor log after failure. Closes ticket 30591.
- In Travis, only run the stem tests that use a tor binary.
Closes ticket 30694.
1
0