- tor-announce - lists.torproject.org

Tor Browser 8.5.6 is released
by Nicolas Vigier 11 Sep '19

11 Sep '19

Tor Browser for Android 8.5.6 is now available from the Tor Browser Download page [1] and also from our distribution directory [2]. This version is for Android only, the latest version for Linux, macOS and Windows is still 8.5.5 [3]. 1: https://www.torproject.org/download/#android 2: https://www.torproject.org/dist/torbrowser/8.5.6/ 3: https://blog.torproject.org/new-release-tor-browser-855 This update is fixing an issue with the aarch64 version, mostly on Android 9 [4] which was causing a crash on every launch. 4: https://trac.torproject.org/projects/tor/ticket/31616 Note: Due to some issue with Google Play's new requirement for 64bit versions [5], we have not yet been able to publish the Android x86 and x86_64 versions on Google Play. We plan to fix this in the next release. In the meantime the x86 version can be downloaded from our website [6]. 5: https://developer.android.com/distribute/best-practices/develop/64-bit 6: https://www.torproject.org/download/#android The full changelog since Tor Browser 8.5.5 is: * Android * Update Torbutton to 2.1.14 * Bug 31616: Fix JIT related crashes on aarch64

1 0

Tor Browser 8.5.5 is released
by Nicolas Vigier 05 Sep '19

05 Sep '19

Tor Browser 8.5.5 is now available from the Tor Browser Download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/8.5.5/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/ This release is updating Firefox to 60.9.0esr, Tor to 0.4.1.5 [4], and NoScript to 11.0.3. This release also includes various bug fixes. On the Windows side, we should now have support for accessibility tools [5]. On the Android side, we added support for arm64-v8a devices [6]. 4: https://blog.torproject.org/new-release-tor-0415 5: https://trac.torproject.org/projects/tor/ticket/27503 6: https://trac.torproject.org/projects/tor/ticket/28119 This is expected to be the last release in the 8.5 series: on October 22 we will switch to the 9.0 series, based on Firefox 68ESR. Note 1: Due to some issue with Google Play's new requirement for 64bit versions [7], we have not yet been able to publish the Android x86 and x86_64 versions on Google Play. We hope to be able to fix this in the next days. In the meantime the x86 version can be downloaded from our website [8]. 7: https://developer.android.com/distribute/best-practices/develop/64-bit 8: https://www.torproject.org/download/#android Note 2: There is an issue with the aarch64 version on Android 9 [9] causing a crash on every launch. We are working on a fix for this issue. 9: https://trac.torproject.org/projects/tor/ticket/31616 The full changelog since Tor Browser 8.5.4 is: * All platforms * Update Firefox to 60.9.0esr * Update Torbutton to 2.1.13 * Bug 31520: Remove monthly giving banner from Tor Browser * Bug 31140: Do not enable IonMonkey on AARCH64 * Translations update * Update NoScript to 11.0.3 * Bug 26847: NoScript pops up a full-site window for XSS warning * Bug 31287: NoScript leaks browser locale * Bug 31357: Retire Tom's default obfs4 bridge * Windows + OS X + Linux * Update Tor to 0.4.1.5 * Windows * Bug 31547: Back out patch for Mozilla's bug 1574980 * Bug 27503: Provide full support for accessibility tools * Bug 30575: Don't allow enterprise policies in Tor Browser * Bug 31141: Fix typo in font.system.whitelist * Android * Bug 28119: Tor Browser for aarch64 * Build System * All platforms * Bug 31465: Bump Go to 1.12.9

1 0

Tor 0.4.1.5 is released
by Nick Mathewson 20 Aug '19

20 Aug '19

Hello, everyone! (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used when you subscribed.) After months of work, Tor 0.4.1.5 is now available! This is the first stable release in the 0.4.1 series, and we hope you find it useful. You can download the source code from the usual place on the website (https://www.torproject.org/download/tor/ ). Packages should be available within the next several weeks, with a new Tor Browser in early September. Here are all the changes since 0.4.0.5: Changes in version 0.4.1.5 - 2019-08-20 This is the first stable release in the 0.4.1.x series. This series adds experimental circuit-level padding, authenticated SENDME cells to defend against certain attacks, and several performance improvements to save on CPU consumption. It fixes bugs in bootstrapping and v3 onion services. It also includes numerous smaller features and bugfixes on earlier versions. Per our support policy, we will support the 0.4.1.x series for nine months, or until three months after the release of a stable 0.4.2.x: whichever is longer. If you need longer-term support, please stick with 0.3.5.x, which will we plan to support until Feb 2022. Below are the changes since 0.4.0.5. For a list of only the changes since 0.4.1.4-rc, see the ChangeLog file. o Directory authority changes: - The directory authority "dizum" has a new IP address. Closes ticket 31406. o Major features (circuit padding): - Onion service clients now add padding cells at the start of their INTRODUCE and RENDEZVOUS circuits, to make those circuits' traffic look more like general purpose Exit traffic. The overhead for this is 2 extra cells in each direction for RENDEZVOUS circuits, and 1 extra upstream cell and 10 downstream cells for INTRODUCE circuits. This feature is only enabled when also supported by the circuit's middle node. (Clients may specify fixed middle nodes with the MiddleNodes option, and may force-disable this feature with the CircuitPadding option.) Closes ticket 28634. o Major features (code organization): - Tor now includes a generic publish-subscribe message-passing subsystem that we can use to organize intermodule dependencies. We hope to use this to reduce dependencies between modules that don't need to be related, and to generally simplify our codebase. Closes ticket 28226. o Major features (controller protocol): - Controller commands are now parsed using a generalized parsing subsystem. Previously, each controller command was responsible for parsing its own input, which led to strange inconsistencies. Closes ticket 30091. o Major features (flow control): - Implement authenticated SENDMEs as detailed in proposal 289. A SENDME cell now includes the digest of the traffic that it acknowledges, so that once an end point receives the SENDME, it can confirm the other side's knowledge of the previous cells that were sent, and prevent certain types of denial-of-service attacks. This behavior is controlled by two new consensus parameters: see the proposal for more details. Fixes ticket 26288. o Major features (performance): - Our node selection algorithm now excludes nodes in linear time. Previously, the algorithm was quadratic, which could slow down heavily used onion services. Closes ticket 30307. o Major features (performance, RNG): - Tor now constructs a fast secure pseudorandom number generator for each thread, to use when performance is critical. This PRNG is based on AES-CTR, using a buffering construction similar to libottery and the (newer) OpenBSD arc4random() code. It outperforms OpenSSL 1.1.1a's CSPRNG by roughly a factor of 100 for small outputs. Although we believe it to be cryptographically strong, we are only using it when necessary for performance. Implements tickets 29023 and 29536. o Major bugfixes (bridges): - Consider our directory information to have changed when our list of bridges changes. Previously, Tor would not re-compute the status of its directory information when bridges changed, and therefore would not realize that it was no longer able to build circuits. Fixes part of bug 29875. - Do not count previously configured working bridges towards our total of working bridges. Previously, when Tor's list of bridges changed, it would think that the old bridges were still usable, and delay fetching router descriptors for the new ones. Fixes part of bug 29875; bugfix on 0.3.0.1-alpha. o Major bugfixes (circuit build, guard): - When considering upgrading circuits from "waiting for guard" to "open", always ignore circuits that are marked for close. Otherwise, we can end up in the situation where a subsystem is notified that a closing circuit has just opened, leading to undesirable behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha. o Major bugfixes (onion service reachability): - Properly clean up the introduction point map when circuits change purpose from onion service circuits to pathbias, measurement, or other circuit types. This should fix some service-side instances of introduction point failure. Fixes bug 29034; bugfix on 0.3.2.1-alpha. o Major bugfixes (onion service v3): - Fix an unreachable bug in which an introduction point could try to send an INTRODUCE_ACK with a status code that Trunnel would refuse to encode, leading the relay to assert(). We've consolidated the ABI values into Trunnel now. Fixes bug 30454; bugfix on 0.3.0.1-alpha. - Clients can now handle unknown status codes from INTRODUCE_ACK cells. (The NACK behavior will stay the same.) This will allow us to extend status codes in the future without breaking the normal client behavior. Fixes another part of bug 30454; bugfix on 0.3.0.1-alpha. o Minor features (authenticated SENDME): - Ensure that there is enough randomness on every circuit to prevent an attacker from successfully predicting the hashes they will need to include in authenticated SENDME cells. At a random interval, if we have not sent randomness already, we now leave some extra space at the end of a cell that we can fill with random bytes. Closes ticket 26846. o Minor features (circuit padding logging): - Demote noisy client-side warn logs about circuit padding to protocol warnings. Add additional log messages and circuit ID fields to help with bug 30992 and any other future issues. o Minor features (circuit padding): - We now use a fast PRNG when scheduling circuit padding. Part of ticket 28636. - Allow the padding machine designer to pick the edges of their histogram instead of trying to compute them automatically using an exponential formula. Resolves some undefined behavior in the case of small histograms and allows greater flexibility on machine design. Closes ticket 29298; bugfix on 0.4.0.1-alpha. - Allow circuit padding machines to hold a circuit open until they are done padding it. Closes ticket 28780. o Minor features (compile-time modules): - Add a "--list-modules" command to print a list of which compile- time modules are enabled. Closes ticket 30452. o Minor features (continuous integration): - Our Travis configuration now uses Chutney to run some network integration tests automatically. Closes ticket 29280. - When running coverage builds on Travis, we now set TOR_TEST_RNG_SEED, to avoid RNG-based coverage differences. Part of ticket 28878. - Remove sudo configuration lines from .travis.yml as they are no longer needed with current Travis build environment. Resolves issue 30213. - In Travis, show stem's tor log after failure. Closes ticket 30234. o Minor features (controller): - Add onion service version 3 support to the HSFETCH command. Previously, only version 2 onion services were supported. Closes ticket 25417. Patch by Neel Chauhan. o Minor features (debugging): - Introduce tor_assertf() and tor_assertf_nonfatal() to enable logging of additional information during assert failure. Now we can use format strings to include information for trouble shooting. Resolves ticket 29662. o Minor features (defense in depth): - In smartlist_remove_keeporder(), set unused pointers to NULL, in case a bug causes them to be used later. Closes ticket 30176. Patch from Tobias Stoeckmann. - Tor now uses a cryptographically strong PRNG even for decisions that we do not believe are security-sensitive. Previously, for performance reasons, we had used a trivially predictable linear congruential generator algorithm for certain load-balancing and statistical sampling decisions. Now we use our fast RNG in those cases. Closes ticket 29542. o Minor features (developer tools): - Tor's "practracker" test script now checks for files and functions that seem too long and complicated. Existing overlong functions and files are accepted for now, but should eventually be refactored. Closes ticket 29221. - Add some scripts used for git maintenance to scripts/git. Closes ticket 29391. - Call practracker from pre-push and pre-commit git hooks to let developers know if they made any code style violations. Closes ticket 30051. - Add a script to check that each header has a well-formed and unique guard macro. Closes ticket 29756. o Minor features (fallback directory list): - Replace the 157 fallbacks originally introduced in Tor 0.3.5.6-rc in December 2018 (of which ~122 were still functional), with a list of 148 fallbacks (70 new, 78 existing, 79 removed) generated in June 2019. Closes ticket 28795. o Minor features (geoip): - Update geoip and geoip6 to the June 10 2019 Maxmind GeoLite2 Country database. Closes ticket 30852. - Update geoip and geoip6 to the May 13 2019 Maxmind GeoLite2 Country database. Closes ticket 30522. o Minor features (HTTP tunnel): - Return an informative web page when the HTTPTunnelPort is used as an HTTP proxy. Closes ticket 27821, patch by "eighthave". o Minor features (IPv6, v3 onion services): - Make v3 onion services put IPv6 addresses in service descriptors. Before this change, service descriptors only contained IPv4 addresses. Implements 26992. o Minor features (logging): - Give a more useful assertion failure message if we think we have minherit() but we fail to make a region non-inheritable. Give a compile-time warning if our support for minherit() is incomplete. Closes ticket 30686. o Minor features (maintenance): - Add a new "make autostyle" target that developers can use to apply all automatic Tor style and consistency conversions to the codebase. Closes ticket 30539. o Minor features (modularity): - The "--disable-module-dirauth" compile-time option now disables even more dirauth-only code. Closes ticket 30345. o Minor features (performance): - Use OpenSSL's implementations of SHA3 when available (in OpenSSL 1.1.1 and later), since they tend to be faster than tiny-keccak. Closes ticket 28837. o Minor features (testing): - The circuitpadding tests now use a reproducible RNG implementation, so that if a test fails, we can learn why. Part of ticket 28878. - Tor's tests now support an environment variable, TOR_TEST_RNG_SEED, to set the RNG seed for tests that use a reproducible RNG. Part of ticket 28878. - When running tests in coverage mode, take additional care to make our coverage deterministic, so that we can accurately track changes in code coverage. Closes ticket 30519. - Tor's unit test code now contains helper functions to replace the PRNG with a deterministic or reproducible version for testing. Previously, various tests implemented this in various ways. Implements ticket 29732. - We now have a script, cov-test-determinism.sh, to identify places where our unit test coverage has become nondeterministic. Closes ticket 29436. - Check that representative subsets of values of `int` and `unsigned int` can be represented by `void *`. Resolves issue 29537. o Minor bugfixes (bridge authority): - Bridge authorities now set bridges as running or non-running when about to dump their status to a file. Previously, they set bridges as running in response to a GETINFO command, but those shouldn't modify data structures. Fixes bug 24490; bugfix on 0.2.0.13-alpha. Patch by Neel Chauhan. o Minor bugfixes (channel padding statistics): - Channel padding write totals and padding-enabled totals are now counted properly in relay extrainfo descriptors. Fixes bug 29231; bugfix on 0.3.1.1-alpha. o Minor bugfixes (circuit isolation): - Fix a logic error that prevented the SessionGroup sub-option from being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha. o Minor bugfixes (circuit padding): - Add a "CircuitPadding" torrc option to disable circuit padding. Fixes bug 28693; bugfix on 0.4.0.1-alpha. - Allow circuit padding machines to specify that they do not contribute much overhead, and provide consensus flags and torrc options to force clients to only use these low overhead machines. Fixes bug 29203; bugfix on 0.4.0.1-alpha. - Provide a consensus parameter to fully disable circuit padding, to be used in emergency network overload situations. Fixes bug 30173; bugfix on 0.4.0.1-alpha. - The circuit padding subsystem will no longer schedule padding if dormant mode is enabled. Fixes bug 28636; bugfix on 0.4.0.1-alpha. - Inspect a circuit-level cell queue before sending padding, to avoid sending padding while too much data is already queued. Fixes bug 29204; bugfix on 0.4.0.1-alpha. - Avoid calling monotime_absolute_usec() in circuit padding machines that do not use token removal or circuit RTT estimation. Fixes bug 29085; bugfix on 0.4.0.1-alpha. o Minor bugfixes (clock skew detection): - Don't believe clock skew results from NETINFO cells that appear to arrive before we sent the VERSIONS cells they are responding to. Previously, we would accept them up to 3 minutes "in the past". Fixes bug 31343; bugfix on 0.2.4.4-alpha. o Minor bugfixes (compatibility, standards compliance): - Fix a bug that would invoke undefined behavior on certain operating systems when trying to asprintf() a string exactly INT_MAX bytes long. We don't believe this is exploitable, but it's better to fix it anyway. Fixes bug 31001; bugfix on 0.2.2.11-alpha. Found and fixed by Tobias Stoeckmann. o Minor bugfixes (compilation warning): - Fix a compilation warning on Windows about casting a function pointer for GetTickCount64(). Fixes bug 31374; bugfix on 0.2.9.1-alpha. o Minor bugfixes (compilation): - Avoid using labs() on time_t, which can cause compilation warnings on 64-bit Windows builds. Fixes bug 31343; bugfix on 0.2.4.4-alpha. o Minor bugfixes (compilation, unusual configurations): - Avoid failures when building with the ALL_BUGS_ARE_FATAL option due to missing declarations of abort(), and prevent other such failures in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha. o Minor bugfixes (configuration, proxies): - Fix a bug that prevented us from supporting SOCKS5 proxies that want authentication along with configured (but unused!) ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha. o Minor bugfixes (continuous integration): - Allow the test-stem job to fail in Travis, because it sometimes hangs. Fixes bug 30744; bugfix on 0.3.5.4-alpha. - Skip test_rebind on macOS in Travis, because it is unreliable on macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha. - Skip test_rebind when the TOR_SKIP_TEST_REBIND environment variable is set. Fixes bug 30713; bugfix on 0.3.5.1-alpha. o Minor bugfixes (controller protocol): - Teach the controller parser to distinguish an object preceded by an argument list from one without. Previously, it couldn't distinguish an argument list from the first line of a multiline object. Fixes bug 29984; bugfix on 0.2.3.8-alpha. o Minor bugfixes (crash on exit): - Avoid a set of possible code paths that could try to use freed memory in routerlist_free() while Tor was exiting. Fixes bug 31003; bugfix on 0.1.2.2-alpha. o Minor bugfixes (developer tooling): - Fix pre-push hook to allow fixup and squash commits when pushing to non-upstream git remote. Fixes bug 30286; bugfix on 0.4.0.1-alpha. o Minor bugfixes (directory authorities): - Stop crashing after parsing an unknown descriptor purpose annotation. We think this bug can only be triggered by modifying a local file. Fixes bug 30781; bugfix on 0.2.0.8-alpha. - Move the "bandwidth-file-headers" line in directory authority votes so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix on 0.3.5.1-alpha. - Directory authorities with IPv6 support now always mark themselves as reachable via IPv6. Fixes bug 24338; bugfix on 0.2.4.1-alpha. Patch by Neel Chauhan. o Minor bugfixes (documentation): - Improve the documentation for using MapAddress with ".exit". Fixes bug 30109; bugfix on 0.1.0.1-rc. - Improve the monotonic time module and function documentation to explain what "monotonic" actually means, and document some results that have surprised people. Fixes bug 29640; bugfix on 0.2.9.1-alpha. - Use proper formatting when providing an example on quoting options that contain whitespace. Fixes bug 29635; bugfix on 0.2.3.18-rc. o Minor bugfixes (logging): - Do not log a warning when running with an OpenSSL version other than the one Tor was compiled with, if the two versions should be compatible. Previously, we would warn whenever the version was different. Fixes bug 30190; bugfix on 0.2.4.2-alpha. - Warn operators when the MyFamily option is set but ContactInfo is missing, as the latter should be set too. Fixes bug 25110; bugfix on 0.3.3.1-alpha. o Minor bugfixes (memory leaks): - Avoid a minor memory leak that could occur on relays when failing to create a "keys" directory. Fixes bug 30148; bugfix on 0.3.3.1-alpha. - Fix a trivial memory leak when parsing an invalid value from a download schedule in the configuration. Fixes bug 30894; bugfix on 0.3.4.1-alpha. o Minor bugfixes (NetBSD): - Fix usage of minherit() on NetBSD and other platforms that define MAP_INHERIT_{ZERO,NONE} instead of INHERIT_{ZERO,NONE}. Fixes bug 30614; bugfix on 0.4.0.2-alpha. Patch from Taylor Campbell. o Minor bugfixes (onion services): - Avoid a GCC 9.1.1 warning (and possible crash depending on libc implemenation) when failing to load an onion service client authorization file. Fixes bug 30475; bugfix on 0.3.5.1-alpha. - When refusing to launch a controller's HSFETCH request because of rate-limiting, respond to the controller with a new response, "QUERY_RATE_LIMITED". Previously, we would log QUERY_NO_HSDIR for this case. Fixes bug 28269; bugfix on 0.3.1.1-alpha. Patch by Neel Chauhan. - When relaunching a circuit to a rendezvous service, mark the circuit as needing high-uptime routers as appropriate. Fixes bug 17357; bugfix on 0.1.0.1-rc. Patch by Neel Chauhan. - Stop ignoring IPv6 link specifiers sent to v3 onion services. (IPv6 support for v3 onion services is still incomplete: see ticket 23493 for details.) Fixes bug 23588; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan. o Minor bugfixes (onion services, performance): - When building circuits to onion services, call tor_addr_parse() less often. Previously, we called tor_addr_parse() in circuit_is_acceptable() even if its output wasn't used. This change should improve performance when building circuits. Fixes bug 22210; bugfix on 0.2.8.12. Patch by Neel Chauhan. o Minor bugfixes (out-of-memory handler): - When purging the DNS cache because of an out-of-memory condition, try purging just the older entries at first. Previously, we would always purge the whole thing. Fixes bug 29617; bugfix on 0.3.5.1-alpha. o Minor bugfixes (performance): - When checking whether a node is a bridge, use a fast check to make sure that its identity is set. Previously, we used a constant-time check, which is not necessary in this case. Fixes bug 30308; bugfix on 0.3.5.1-alpha. o Minor bugfixes (pluggable transports): - Tor now sets TOR_PT_EXIT_ON_STDIN_CLOSE=1 for client transports as well as servers. Fixes bug 25614; bugfix on 0.2.7.1-alpha. o Minor bugfixes (portability): - Avoid crashing in our tor_vasprintf() implementation on systems that define neither vasprintf() nor _vscprintf(). (This bug has been here long enough that we question whether people are running Tor on such systems, but we're applying the fix out of caution.) Fixes bug 30561; bugfix on 0.2.8.2-alpha. Found and fixed by Tobias Stoeckmann. o Minor bugfixes (probability distributions): - Refactor and improve parts of the probability distribution code that made Coverity complain. Fixes bug 29805; bugfix on 0.4.0.1-alpha. o Minor bugfixes (python): - Stop assuming that /usr/bin/python3 exists. For scripts that work with python2, use /usr/bin/python. Otherwise, use /usr/bin/env python3. Fixes bug 29913; bugfix on 0.2.5.3-alpha. o Minor bugfixes (relay): - When running as a relay, if IPv6Exit is set to 1 while ExitRelay is auto, act as if ExitRelay is 1. Previously, we would ignore IPv6Exit if ExitRelay was 0 or auto. Fixes bug 29613; bugfix on 0.3.5.1-alpha. Patch by Neel Chauhan. o Minor bugfixes (static analysis): - Fix several spurious Coverity warnings about the unit tests, to lower our chances of missing real warnings in the future. Fixes bug 30150; bugfix on 0.3.5.1-alpha and various other Tor versions. o Minor bugfixes (stats): - When ExtraInfoStatistics is 0, stop including bandwidth usage statistics, GeoIPFile hashes, ServerTransportPlugin lines, and bridge statistics by country in extra-info documents. Fixes bug 29018; bugfix on 0.2.4.1-alpha. o Minor bugfixes (testing): - Call setrlimit() to disable core dumps in test_bt_cl.c. Previously we used `ulimit -c` in test_bt.sh, which violates POSIX shell compatibility. Fixes bug 29061; bugfix on 0.3.5.1-alpha. - Fix some incorrect code in the v3 onion service unit tests. Fixes bug 29243; bugfix on 0.3.2.1-alpha. - In the "routerkeys/*" tests, check the return values of mkdir() for possible failures. Fixes bug 29939; bugfix on 0.2.7.2-alpha. Found by Coverity as CID 1444254. - Split test_utils_general() into several smaller test functions. This makes it easier to perform resource deallocation on assert failure, and fixes Coverity warnings CID 1444117 and CID 1444118. Fixes bug 29823; bugfix on 0.2.9.1-alpha. o Minor bugfixes (tor-resolve): - Fix a memory leak in tor-resolve that could happen if Tor gave it a malformed SOCKS response. (Memory leaks in tor-resolve don't actually matter, but it's good to fix them anyway.) Fixes bug 30151; bugfix on 0.4.0.1-alpha. o Code simplification and refactoring: - Abstract out the low-level formatting of replies on the control port. Implements ticket 30007. - Add several assertions in an attempt to fix some Coverity warnings. Closes ticket 30149. - Introduce a connection_dir_buf_add() helper function that checks for compress_state of dir_connection_t and automatically writes a string to directory connection with or without compression. Resolves issue 28816. - Make the base32_decode() API return the number of bytes written, for consistency with base64_decode(). Closes ticket 28913. - Move most relay-only periodic events out of mainloop.c into the relay subsystem. Closes ticket 30414. - Refactor and encapsulate parts of the codebase that manipulate crypt_path_t objects. Resolves issue 30236. - Refactor several places in our code that Coverity incorrectly believed might have memory leaks. Closes ticket 30147. - Remove redundant return values in crypto_format, and the associated return value checks elsewhere in the code. Make the implementations in crypto_format consistent, and remove redundant code. Resolves ticket 29660. - Rename tor_mem_is_zero() to fast_mem_is_zero(), to emphasize that it is not a constant-time function. Closes ticket 30309. - Replace hs_desc_link_specifier_t with link_specifier_t, and remove all hs_desc_link_specifier_t-specific code. Fixes bug 22781; bugfix on 0.3.2.1-alpha. - Simplify v3 onion service link specifier handling code. Fixes bug 23576; bugfix on 0.3.2.1-alpha. - Split crypto_digest.c into NSS code, OpenSSL code, and shared code. Resolves ticket 29108. - Split control.c into several submodules, in preparation for distributing its current responsibilities throughout the codebase. Closes ticket 29894. - Start to move responsibility for knowing about periodic events to the appropriate subsystems, so that the mainloop doesn't need to know all the periodic events in the rest of the codebase. Implements tickets 30293 and 30294. o Documentation: - Mention URLs for Travis/Appveyor/Jenkins in ReleasingTor.md. Closes ticket 30630. - Document how to find git commits and tags for bug fixes in CodingStandards.md. Update some file documentation. Closes ticket 30261. o Removed features: - Remove the linux-tor-prio.sh script from contrib/operator-tools directory. Resolves issue 29434. - Remove the obsolete OpenSUSE initscript. Resolves issue 30076. - Remove the obsolete script at contrib/dist/tor.sh.in. Resolves issue 30075. o Testing: - Specify torrc paths (with empty files) when launching tor in integration tests; refrain from reading user and system torrcs. Resolves issue 29702. o Code simplification and refactoring (shell scripts): - Clean up many of our shell scripts to fix shellcheck warnings. These include autogen.sh (ticket 26069), test_keygen.sh (ticket 29062), test_switch_id.sh (ticket 29065), test_rebind.sh (ticket 29063), src/test/fuzz/minimize.sh (ticket 30079), test_rust.sh (ticket 29064), torify (ticket 29070), asciidoc-helper.sh (29926), fuzz_multi.sh (30077), fuzz_static_testcases.sh (ticket 29059), nagios-check-tor-authority-cert (ticket 29071), src/test/fuzz/fixup_filenames.sh (ticket 30078), test-network.sh (ticket 29060), test_key_expiration.sh (ticket 30002), zero_length_keys.sh (ticket 29068), and test_workqueue_*.sh (ticket 29067). o Testing (chutney): - In "make test-network-all", test IPv6-only v3 single onion services, using the chutney network single-onion-v23-ipv6-md. Closes ticket 27251. o Testing (continuous integration): - In Travis, make stem log a controller trace to the console, and tail stem's tor log after failure. Closes ticket 30591. - In Travis, only run the stem tests that use a tor binary. Closes ticket 30694.

1 0

Tor Browser 8.5.4 is released
by Nicolas Vigier 10 Jul '19

10 Jul '19

Tor Browser 8.5.4 is now available from the Tor Browser Download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/8.5.4/ Tor Browser 8.5.4 contains updates to a number of its components. Above all, we include Firefox 60.8.0esr which contains important security fixes [3]. Moreover, after some testing in the alpha series, we start shipping Tor 0.4.0.5 [4] and update OpenSSL to 1.0.2s for the desktop platforms. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/ 4: https://blog.torproject.org/new-release-tor-0405 Finally, we add a fundraising banner to help us getting more donations. Please donate [5] if you can! 5: https://donate.torproject.org/ The full changelog since Tor Browser 8.5.3 is: * All platforms * Update Firefox to 60.8.0esr * Update Torbutton to 2.1.12 * Bug 30577: Add Fundraising Banner * Bug 31041: Stop syncing network.cookie.lifetimePolicy * Translations update * Update HTTPS Everywhere to 2019.6.27 * Bug 31055+31058: Remove four default bridges * Bug 30712: Backport fix for Mozilla's bug 1552993 * Bug 30849: Backport fixes for Mozilla's bug 1552627 and 1549833 * Windows + OS X + Linux * Update Tor to 0.4.0.5 * Update OpenSSL to 1.0.2s * Bug 29045: Ensure that tor does not start up in dormant mode * OS X * Bug 30631: Blurry Tor Browser icon on macOS app switcher

1 0

Tor Browser 8.5.3 is released
by Nicolas Vigier 21 Jun '19

21 Jun '19

Tor Browser 8.5.3 is now available from the Tor Browser Download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/8.5.3/ This release includes an important security update [3] in Firefox, a sandbox escape bug, which combined with additional vulnerabilities could result in executing arbitrary code on the user's computer. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/ Note: As part of our team is currently traveling to an event, we are unable to access our Android signing token, therefore the Android release is not yet available. We expect to be able to publish the Android release this weekend. In the meantime, Android users should use the safer or safest security levels. The security level on Android can be changed by going in the menu on the right of the URL bar and selecting Security Settings. The full changelog since Tor Browser 8.5.2 is: * All platforms * Pick up fix for Mozilla's bug 1560192

1 0

Tor Browser 8.5.2 is released
by Nicolas Vigier 19 Jun '19

19 Jun '19

Tor Browser 8.5.2 is now available from the Tor Browser Download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/8.5.2/ This release is fixing a critical security update [3] in Firefox. In addition we update NoScript to 10.6.3, fixing a few issues. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/ Users of the safer and safest security levels were not affected by this security issue. Note: As part of our team is currently traveling to an event, we are unable to access our Android signing token, therefore the Android release is not yet available. We expect to be able to publish the Android release this weekend. In the meantime, Android users should use the safer or safest security levels. The security level on Android can be changed by going in the menu on the right of the URL bar and selecting Security Settings. The full changelog since Tor Browser 8.5.1 is: * All platforms * Pick up fix for Mozilla's bug 1544386 * Update NoScript to 10.6.3 * Bug 29904: NoScript blocks MP4 on higher security levels * Bug 30624+29043+29647: Prevent XSS protection from freezing the browser

1 0

Tor Browser 8.5.1 is released
by Nicolas Vigier 04 Jun '19

04 Jun '19

Tor Browser 8.5.1 is now available from the Tor Browser Download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/8.5.1/ Tor Browser 8.5.1 is the first bugfix release in the 8.5 series and aims at mostly fixing regressions and providing small improvements related to our 8.5 release. Additionally, we disable the WebGL readPixel() fingerprinting vector [4], realizing, though, that we need a more holistic approach when trying to deal with the fingerprinting potential WebGL comes with. 4: https://trac.torproject.org/projects/tor/ticket/30541 The full changelog since Tor Browser 8.5 is: * All platforms * Update Torbutton to 2.1.10 * Bug 30565: Sync nocertdb with privatebrowsing.autostart at startup * Bug 30464: Add WebGL to safer descriptions * Translations update * Update NoScript to 10.6.2 * Bug 29969: Remove workaround for Mozilla's bug 1532530 * Update HTTPS Everywhere to 2019.5.13 * Bug 30541: Disable WebGL readPixel() for web content * Windows + OS X + Linux * Bug 30560: Better match actual toolbar in onboarding toolbar graphic * Android * Bug 30635: Sync mobile default bridges list with desktop one * Build System * All platforms * Bug 30480: Check that signed tag contains expected tag name

1 0

Tor Browser 8.5 is released
by Nicolas Vigier 21 May '19

21 May '19

Tor Browser 8.5 is now available from the Tor Browser download page [1] and also from our distribution directory [2]. The Android version is also available from Google Play [3] and should be available from F-Droid within the next day. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/8.5/ 3: https://play.google.com/store/apps/details?id=org.torproject.torbrowser This release features important security updates [4] to Firefox. 4: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/ After months of work and including feedback from our users, Tor Browser 8.5 includes our first stable release for Android plus many new features across platforms. _It's Official: Tor Browser is Stable on Android_ Tor Browser 8.5 is the first stable release for Android. Since we released the first alpha version in September [5], we've been hard at work making sure we can provide the protections users are already enjoying on desktop to the Android platform. Mobile browsing is increasing [6] around the world, and in some parts, it is commonly the only way people access the internet. In these same areas, there is often heavy surveillance and censorship online, so we made it a priority to reach these users. 5: https://blog.torproject.org/new-alpha-release-tor-browser-android 6: https://www.theguardian.com/technology/2016/nov/02/mobile-web-browsing-desk… We made sure there are no proxy bypasses, that first-party isolation is enabled to protect you from cross-site tracking, and that most of the fingerprinting defenses are working. While there are still feature gaps [7] between the desktop and Android Tor Browser, we are confident that Tor Browser for Android provides essentially the same protections that can be found on desktop platforms. 7: https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb… Thanks to everyone working on getting our mobile experience into shape, in particular to Antonela, Matt, Igor, and Shane. Note: Though we cannot bring an official Tor Browser to iOS due to restrictions by Apple, the only app we recommend is Onion Browser [8], developed by Mike Tigas with help from the Guardian Project. 8: https://itunes.apple.com/us/app/onion-browser/id519296448?mt=8 _Improved Security Slider Accessibility_ Our security slider is an important tool for Tor Browser users, especially for those with sensitive security needs. However, its location behind the Torbutton menu made it hard to access. [9] 9: https://blog.torproject.org/sites/default/files/inline-images/tb85-ss4-smal… During the Tor Browser 8.5 development period, we revamped the experience so now the chosen security level appears on the toolbar. You can interact with the slider more easily now. For the fully planned changes check out proposal 101 [10]. 10: https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/101-secur… _A Fresh Look_ We made Tor Browser 8.5 compatible with Firefox's Photon UI and redesigned our logos and about:tor page across all the platforms we support to provide the same look and feel and improve accessibility. [11] 11: https://blog.torproject.org/sites/default/files/inline-images/icon%20update… The new Tor Browser icon was chosen through a round of voting in our community. We'd like to give a big thanks to everyone who helped make this release possible, including our users, who gave valuable feedback to our alpha versions. _Known Issues_ Tor Browser 8.5 comes with a number of known issues. The most important ones are: * While we improved accessibility support [12] for Windows users during our 8.5 stabilization, it's still not perfect. We are in the process of finishing patches for inclusion in an 8.5 point release. We are close here. 12: https://trac.torproject.org/projects/tor/ticket/27503 * There are bug reports [13][14][15] about WebGL related fingerprinting which we are investigating. We are currently testing a fix for the most problematic issue and will ship that in the next point release. 13: https://trac.torproject.org/projects/tor/ticket/30531 14: https://trac.torproject.org/projects/tor/ticket/30537 15: https://trac.torproject.org/projects/tor/ticket/30541 We already collected a number of unresolved bugs since releasing Tor Browser 8 and tagged them with our tbb-8.0-issues keyword [16] to keep them on our radar. Check them out before reporting if you find a bug. 16: https://trac.torproject.org/projects/tor/query?status=!closed&keywords=… _Give Feedback_ In addition to the known issues, we are always looking for feedback about ways we can make our software better for you. If you find a bug or have a suggestion for how we could improve this release, please let us know [17]. 17: https://trac.torproject.org/projects/tor/wiki/doc/community/HowToReportBugF… _Full Changelog_ The full changelog since Tor Browser 8.0.9 is: * All platforms * Update Firefox to 60.7.0esr * Update Torbutton to 2.1.8 * Bug 25013: Integrate Torbutton into tor-browser for Android * Bug 27111: Update about:tor desktop version to work on mobile * Bug 22538+22513: Fix new circuit button for error pages * Bug 25145: Update circuit display when back button is pressed * Bug 27749: Opening about:config shows circuit from previous website * Bug 30115: Map browser+domain to credentials to fix circuit display * Bug 25702: Update Tor Browser icon to follow design guidelines * Bug 21805: Add click-to-play button for WebGL * Bug 28836: Links on about:tor are not clickable * Bug 30171: Don't sync cookie.cookieBehavior and firstparty.isolate * Bug 29825: Intelligently add new Security Level button to taskbar * Bug 29903: No WebGL click-to-play on the standard security level * Bug 27290: Remove WebGL pref for min capability mode * Bug 25658: Replace security slider with security level UI * Bug 28628: Change onboarding Security panel to open new Security Level panel * Bug 29440: Update about:tor when Tor Browser is updated * Bug 27478: Improved Torbutton icons for dark theme * Bug 29239: Don't ship the Torbutton .xpi on mobile * Bug 27484: Improve navigation within onboarding (strings) * Bug 29768: Introduce new features to users (strings) * Bug 28093: Update donation banner style to make it fit in small screens * Bug 28543: about:tor has scroll bar between widths 900px and 1000px * Bug 28039: Enable dump() if log method is 0 * Bug 27701: Don't show App Blocker dialog on Android * Bug 28187: Change tor circuit icon to torbutton.svg * Bug 29943: Use locales in AB-CD scheme to match Mozilla * Bug 26498: Add locale: es-AR * Bug 28082: Add locales cs, el, hu, ka * Bug 29973: Remove remaining stopOpenSecuritySettingsObserver() pieces * Bug 28075: Tone down missing SOCKS credential warning * Bug 30425: Revert armagadd-on-2.0 changes * Bug 30497: Add Donate link to about:tor * Bug 30069: Use slider and about:tor localizations on mobile * Bug 21263: Remove outdated information from the README * Bug 28747: Remove NoScript (XPCOM) related unused code * Translations update * Code clean-up * Update HTTPS Everywhere to 2019.5.6.1 * Bug 27290: Remove WebGL pref for min capability mode * Bug 29120: Enable media cache in memory * Bug 24622: Proper first-party isolation of s3.amazonaws.com * Bug 29082: Backport patches for bug 1469916 * Bug 28711: Backport patches for bug 1474659 * Bug 27828: "Check for Tor Browser update" doesn't seem to do anything * Bug 29028: Auto-decline most canvas warning prompts again * Bug 27919: Backport SSL status API * Bug 27597: Fix our debug builds * Bug 28082: Add locales cs, el, hu, ka * Bug 26498: Add locale: es-AR * Bug 29916: Make sure enterprise policies are disabled * Bug 29349: Remove network.http.spdy.* overrides from meek helper user.js * Bug 29327: TypeError: hostName is null on about:tor page * Bug 30425: Revert armagadd-on-2.0 changes * Windows + OS X + Linux * Update OpenSSL to 1.0.2r * Update Tor Launcher to 0.2.18.3 * Bug 27994+25151: Use the new Tor Browser logo * Bug 29328: Account for Tor 0.4.0.x's revised bootstrap status reporting * Bug 22402: Improve "For assistance" link * Bug 27994: Use the new Tor Browser logo * Bug 25405: Cannot use Moat if a meek bridge is configured * Bug 27392: Update Moat URLs * Bug 28082: Add locales cs, el, hu, ka * Bug 26498: Add locale es-AR * Bug 28039: Enable dump() if log method is 0 * Translations update * Bug 25702: Activity 1.1 Update Tor Browser icon to follow design guidelines * Bug 28111: Use Tor Browser icon in identity box * Bug 22343: Make 'Save Page As' obey first-party isolation * Bug 29768: Introduce new features to users * Bug 27484: Improve navigation within onboarding * Bug 25658+29554: Replace security slider with security level UI * Bug 25658+29554: Replace security slider with security level UI * Bug 25405: Cannot use Moat if a meek bridge is configured * Bug 28885: notify users that update is downloading * Bug 29180: MAR download stalls when about dialog is opened * Bug 27485: Users are not taught how to open security-slider dialog * Bug 27486: Avoid about:blank tabs when opening onboarding pages * Bug 29440: Update about:tor when Tor Browser is updated * Bug 23359: WebExtensions icons are not shown on first start * Bug 28628: Change onboarding Security panel to open new Security Level panel * Bug 27905: Fix many occurrences of "Firefox" in about:preferences * Bug 28369: Stop shipping pingsender executable * Bug 30457: Remove defunct default bridges * Windows * Bug 27503: Improve screen reader accessibility * Bug 27865: Tor Browser 8.5a2 is crashing on Windows * Bug 22654: Firefox icon is shown for Tor Browser on Windows 10 start menu * Bug 28874: Bump mingw-w64 commit to fix WebGL crash * Bug 12885: Windows Jump Lists fail for Tor Browser * Bug 28618: Set MOZILLA_OFFICIAL for Windows build * Bug 21704: Abort install if CPU is missing SSE2 support * Bug 28002: Fix the precomplete file in the en-US installer * OS X * Bug 27623: Use MOZILLA_OFFICIAL for our builds * Linux * Bug 28022: Use `/usr/bin/env bash` for bash invocation * Bug 27623: Use MOZILLA_OFFICIAL for our builds * Android * Bug 5709: Ship Tor Browser for Android * Build System * All platforms * Bug 29868: Fix installation of python-future package * Bug 25623: Disable network during build * Bug 25876: Generate source tarballs during build * Bug 28685: Set Build ID based on Tor Browser version * Bug 29194: Set DEBIAN_FRONTEND=noninteractive * Bug 29167: Upgrade go to 1.11.5 * Bug 29158: Install updated apt packages (CVE-2019-3462) * Bug 29097: Don't try to install python3.6-lxml for HTTPS Everywhere * Bug 27061: Enable verification of langpacks checksums * Windows * Bug 26148: Update binutils to 2.31.1 * Bug 27320: Build certutil for Windows * OS X * Bug 27320: Build certutil for macOS * Linux * Bug 26323+29812: Build 32bit Linux bundles on 64bit Debian Wheezy * Bug 26148: Update binutils to 2.31.1 * Bug 29758: Build firefox debug symbols for linux-i686 * Bug 29966: Use archive.debian.org for Wheezy images * Bug 29183: Use linux-x86_64 langpacks on linux-x86_64 * Android * Bug 29981: Add option to build without using containers

1 0

Tor Browser 8.0.9 is released
by Nicolas Vigier 07 May '19

07 May '19

Tor Browser 8.0.9 is now available from the Tor Browser Download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/8.0.9/ This release is fixing the issue which caused NoScript and all other Firefox extensions signed by Mozilla to be disabled [3]. 3: https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-fire… If you used the workaround mentioned in our previous blog post [4], don't forget to set the xpinstall.signatures.required entry in about:config back to true after installing this update. 4: https://blog.torproject.org/noscript-temporarily-disabled-tor-browser Note: We did not bump the Firefox version number to be able to build faster, thus it will still show 60.6.1esr as the Firefox version. The full changelog since Tor Browser 8.0.8 is: * All platforms * Update Torbutton to 2.0.13 * Bug 30388: Make sure the updated intermediate certificate keeps working * Backport fixes for bug 1549010 and bug 1549061 * Bug 30388: Make sure the updated intermediate certificate keeps working * Update NoScript to 10.6.1 * Bug 29872: XSS popup with DuckDuckGo search on about:tor

1 0

Tor 0.4.0.5 is released.
by Nick Mathewson 03 May '19

03 May '19

Hello, everyone! (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used when you subscribed.) After months of work, Tor 0.4.0.5 is now available! This is the first stable release in the 0.4.0.x series, and we hope you find it useful. You can download the source code from the website, at https://www.torproject.org/download/tor/ . Packages should be available within the next several weeks, with a new Tor Browser likely by some time later this month. Changes in version 0.4.0.5 - 2019-05-02 This is the first stable release in the 0.4.0.x series. It contains improvements for power management and bootstrap reporting, as well as preliminary backend support for circuit padding to prevent some kinds of traffic analysis. It also continues our work in refactoring Tor for long-term maintainability. Per our support policy, we will support the 0.4.0.x series for nine months, or until three months after the release of a stable 0.4.1.x: whichever is longer. If you need longer-term support, please stick with 0.3.5.x, which will we plan to support until Feb 2022. Below are the changes since 0.3.5.7. For a complete list of changes since 0.4.0.4-rc, see the ChangeLog file. o Major features (battery management, client, dormant mode): - When Tor is running as a client, and it is unused for a long time, it can now enter a "dormant" state. When Tor is dormant, it avoids network and CPU activity until it is reawoken either by a user request or by a controller command. For more information, see the configuration options starting with "Dormant". Implements tickets 2149 and 28335. - The client's memory of whether it is "dormant", and how long it has spent idle, persists across invocations. Implements ticket 28624. - There is a DormantOnFirstStartup option that integrators can use if they expect that in many cases, Tor will be installed but not used. o Major features (bootstrap reporting): - When reporting bootstrap progress, report the first connection uniformly, regardless of whether it's a connection for building application circuits. This allows finer-grained reporting of early progress than previously possible, with the improvements of ticket 27169. Closes tickets 27167 and 27103. Addresses ticket 27308. - When reporting bootstrap progress, treat connecting to a proxy or pluggable transport as separate from having successfully used that proxy or pluggable transport to connect to a relay. Closes tickets 27100 and 28884. o Major features (circuit padding): - Implement preliminary support for the circuit padding portion of Proposal 254. The implementation supports Adaptive Padding (aka WTF-PAD) state machines for use between experimental clients and relays. Support is also provided for APE-style state machines that use probability distributions instead of histograms to specify inter-packet delay. At the moment, Tor does not provide any padding state machines that are used in normal operation: for now, this feature exists solely for experimentation. Closes ticket 28142. o Major features (refactoring): - Tor now uses an explicit list of its own subsystems when initializing and shutting down. Previously, these systems were managed implicitly in various places throughout the codebase. (There may still be some subsystems using the old system.) Closes ticket 28330. o Major bugfixes (cell scheduler, KIST, security): - Make KIST consider the outbuf length when computing what it can put in the outbuf. Previously, KIST acted as though the outbuf were empty, which could lead to the outbuf becoming too full. It is possible that an attacker could exploit this bug to cause a Tor client or relay to run out of memory and crash. Fixes bug 29168; bugfix on 0.3.2.1-alpha. This issue is also being tracked as TROVE-2019-001 and CVE-2019-8955. o Major bugfixes (networking): - Gracefully handle empty username/password fields in SOCKS5 username/password auth messsage and allow SOCKS5 handshake to continue. Previously, we had rejected these handshakes, breaking certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha. o Major bugfixes (NSS, relay): - When running with NSS, disable TLS 1.2 ciphersuites that use SHA384 for their PRF. Due to an NSS bug, the TLS key exporters for these ciphersuites don't work -- which caused relays to fail to handshake with one another when these ciphersuites were enabled. Fixes bug 29241; bugfix on 0.3.5.1-alpha. o Major bugfixes (windows, startup): - When reading a consensus file from disk, detect whether it was written in text mode, and re-read it in text mode if so. Always write consensus files in binary mode so that we can map them into memory later. Previously, we had written in text mode, which confused us when we tried to map the file on windows. Fixes bug 28614; bugfix on 0.4.0.1-alpha. o Minor features (address selection): - Treat the subnet 100.64.0.0/10 as public for some purposes; private for others. This subnet is the RFC 6598 (Carrier Grade NAT) IP range, and is deployed by many ISPs as an alternative to RFC 1918 that does not break existing internal networks. Tor now blocks SOCKS and control ports on these addresses and warns users if client ports or ExtORPorts are listening on a RFC 6598 address. Closes ticket 28525. Patch by Neel Chauhan. o Minor features (bandwidth authority): - Make bandwidth authorities ignore relays that are reported in the bandwidth file with the flag "vote=0". This change allows us to report unmeasured relays for diagnostic reasons without including their bandwidth in the bandwidth authorities' vote. Closes ticket 29806. - When a directory authority is using a bandwidth file to obtain the bandwidth values that will be included in the next vote, serve this bandwidth file at /tor/status-vote/next/bandwidth. Closes ticket 21377. o Minor features (bootstrap reporting): - When reporting bootstrap progress, stop distinguishing between situations where only internal paths are available and situations where external paths are available. Previously, Tor would often erroneously report that it had only internal paths. Closes ticket 27402. o Minor features (compilation): - Compile correctly when OpenSSL is built with engine support disabled, or with deprecated APIs disabled. Closes ticket 29026. Patches from "Mangix". o Minor features (continuous integration): - On Travis Rust builds, cleanup Rust registry and refrain from caching the "target/" directory to speed up builds. Resolves issue 29962. - Log Python version during each Travis CI job. Resolves issue 28551. - In Travis, tell timelimit to use stem's backtrace signals, and launch python directly from timelimit, so python receives the signals from timelimit, rather than make. Closes ticket 30117. o Minor features (controller): - Add a DROPOWNERSHIP command to undo the effects of TAKEOWNERSHIP. Implements ticket 28843. o Minor features (developer tooling): - Check that bugfix versions in changes files look like Tor versions from the versions spec. Warn when bugfixes claim to be on a future release. Closes ticket 27761. - Provide a git pre-commit hook that disallows commiting if we have any failures in our code and changelog formatting checks. It is now available in scripts/maint/pre-commit.git-hook. Implements feature 28976. - Provide a git hook script to prevent "fixup!" and "squash!" commits from ending up in the master branch, as scripts/main/pre- push.git-hook. Closes ticket 27993. o Minor features (diagnostic): - Add more diagnostic log messages in an attempt to solve the issue of NUL bytes appearing in a microdescriptor cache. Related to ticket 28223. o Minor features (directory authority): - When a directory authority is using a bandwidth file to obtain bandwidth values, include the digest of that file in the vote. Closes ticket 26698. - Directory authorities support a new consensus algorithm, under which the family lines in microdescriptors are encoded in a canonical form. This change makes family lines more compressible in transit, and on the client. Closes ticket 28266; implements proposal 298. o Minor features (directory authority, relay): - Authorities now vote on a "StaleDesc" flag to indicate that a relay's descriptor is so old that the relay should upload again soon. Relays treat this flag as a signal to upload a new descriptor. This flag will eventually let us remove the 'published' date from routerstatus entries, and make our consensus diffs much smaller. Closes ticket 26770; implements proposal 293. o Minor features (dormant mode): - Add a DormantCanceledByStartup option to tell Tor that it should treat a startup event as cancelling any previous dormant state. Integrators should use this option with caution: it should only be used if Tor is being started because of something that the user did, and not if Tor is being automatically started in the background. Closes ticket 29357. o Minor features (fallback directory mirrors): - Update the fallback whitelist based on operator opt-ins and opt- outs. Closes ticket 24805, patch by Phoul. o Minor features (FreeBSD): - On FreeBSD-based systems, warn relay operators if the "net.inet.ip.random_id" sysctl (IP ID randomization) is disabled. Closes ticket 28518. o Minor features (geoip): - Update geoip and geoip6 to the April 2 2019 Maxmind GeoLite2 Country database. Closes ticket 29992. o Minor features (HTTP standards compliance): - Stop sending the header "Content-type: application/octet-stream" along with transparently compressed documents: this confused browsers. Closes ticket 28100. o Minor features (IPv6): - We add an option ClientAutoIPv6ORPort, to make clients randomly prefer a node's IPv4 or IPv6 ORPort. The random preference is set every time a node is loaded from a new consensus or bridge config. We expect that this option will enable clients to bootstrap more quickly without having to determine whether they support IPv4, IPv6, or both. Closes ticket 27490. Patch by Neel Chauhan. - When using addrs_in_same_network_family(), avoid choosing circuit paths that pass through the same IPv6 subnet more than once. Previously, we only checked IPv4 subnets. Closes ticket 24393. Patch by Neel Chauhan. o Minor features (log messages): - Improve log message in v3 onion services that could print out negative revision counters. Closes ticket 27707. Patch by "ffmancera". o Minor features (memory usage): - Save memory by storing microdescriptor family lists with a more compact representation. Closes ticket 27359. - Tor clients now use mmap() to read consensus files from disk, so that they no longer need keep the full text of a consensus in memory when parsing it or applying a diff. Closes ticket 27244. o Minor features (NSS, diagnostic): - Try to log an error from NSS (if there is any) and a more useful description of our situation if we are using NSS and a call to SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241. o Minor features (parsing): - Directory authorities now validate that router descriptors and ExtraInfo documents are in a valid subset of UTF-8, and reject them if they are not. Closes ticket 27367. o Minor features (performance): - Cache the results of summarize_protocol_flags(), so that we don't have to parse the same protocol-versions string over and over. This should save us a huge number of malloc calls on startup, and may reduce memory fragmentation with some allocators. Closes ticket 27225. - Remove a needless memset() call from get_token_arguments, thereby speeding up the tokenization of directory objects by about 20%. Closes ticket 28852. - Replace parse_short_policy() with a faster implementation, to improve microdescriptor parsing time. Closes ticket 28853. - Speed up directory parsing a little by avoiding use of the non- inlined strcmp_len() function. Closes ticket 28856. - Speed up microdescriptor parsing by about 30%, to help improve startup time. Closes ticket 28839. o Minor features (pluggable transports): - Add support for emitting STATUS updates to Tor's control port from a pluggable transport process. Closes ticket 28846. - Add support for logging to Tor's logging subsystem from a pluggable transport process. Closes ticket 28180. o Minor features (process management): - Add a new process API for handling child processes. This new API allows Tor to have bi-directional communication with child processes on both Unix and Windows. Closes ticket 28179. - Use the subsystem manager to initialize and shut down the process module. Closes ticket 28847. o Minor features (relay): - When listing relay families, list them in canonical form including the relay's own identity, and try to give a more useful set of warnings. Part of ticket 28266 and proposal 298. o Minor features (required protocols): - Before exiting because of a missing required protocol, Tor will now check the publication time of the consensus, and not exit unless the consensus is newer than the Tor program's own release date. Previously, Tor would not check the consensus publication time, and so might exit because of a missing protocol that might no longer be required in a current consensus. Implements proposal 297; closes ticket 27735. o Minor features (testing): - Treat all unexpected ERR and BUG messages as test failures. Closes ticket 28668. - Allow a HeartbeatPeriod of less than 30 minutes in testing Tor networks. Closes ticket 28840. Patch by Rob Jansen. - Use the approx_time() function when setting the "Expires" header in directory replies, to make them more testable. Needed for ticket 30001. o Minor bugfixes (security): - Fix a potential double free bug when reading huge bandwidth files. The issue is not exploitable in the current Tor network because the vulnerable code is only reached when directory authorities read bandwidth files, but bandwidth files come from a trusted source (usually the authorities themselves). Furthermore, the issue is only exploitable in rare (non-POSIX) 32-bit architectures, which are not used by any of the current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found and fixed by Tobias Stoeckmann. - Verify in more places that we are not about to create a buffer with more than INT_MAX bytes, to avoid possible OOB access in the event of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and fixed by Tobias Stoeckmann. o Minor bugfix (continuous integration): - Reset coverage state on disk after Travis CI has finished. This should prevent future coverage merge errors from causing the test suite for the "process" subsystem to fail. The process subsystem was introduced in 0.4.0.1-alpha. Fixes bug 29036; bugfix on 0.2.9.15. - Terminate test-stem if it takes more than 9.5 minutes to run. (Travis terminates the job after 10 minutes of no output.) Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha. o Minor bugfixes (build, compatibility, rust): - Update Cargo.lock file to match the version made by the latest version of Rust, so that "make distcheck" will pass again. Fixes bug 29244; bugfix on 0.3.3.4-alpha. o Minor bugfixes (C correctness): - Fix an unlikely memory leak in consensus_diff_apply(). Fixes bug 29824; bugfix on 0.3.1.1-alpha. This is Coverity warning CID 1444119. o Minor bugfixes (client, clock skew): - Bootstrap successfully even when Tor's clock is behind the clocks on the authorities. Fixes bug 28591; bugfix on 0.2.0.9-alpha. - Select guards even if the consensus has expired, as long as the consensus is still reasonably live. Fixes bug 24661; bugfix on 0.3.0.1-alpha. o Minor bugfixes (compilation): - Fix compilation warnings in test_circuitpadding.c. Fixes bug 29169; bugfix on 0.4.0.1-alpha. - Silence a compiler warning in test-memwipe.c on OpenBSD. Fixes bug 29145; bugfix on 0.2.9.3-alpha. Patch from Kris Katterjohn. - Compile correctly on OpenBSD; previously, we were missing some headers required in order to detect it properly. Fixes bug 28938; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. o Minor bugfixes (directory clients): - Mark outdated dirservers when Tor only has a reasonably live consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha. o Minor bugfixes (directory mirrors): - Even when a directory mirror's clock is behind the clocks on the authorities, we now allow the mirror to serve "future" consensuses. Fixes bug 28654; bugfix on 0.3.0.1-alpha. o Minor bugfixes (DNS): - Gracefully handle an empty or absent resolve.conf file by falling back to using "localhost" as a DNS server (and hoping it works). Previously, we would just stop running as an exit. Fixes bug 21900; bugfix on 0.2.1.10-alpha. o Minor bugfixes (documentation): - Describe the contents of the v3 onion service client authorization files correctly: They hold public keys, not private keys. Fixes bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix". o Minor bugfixes (guards): - In count_acceptable_nodes(), the minimum number is now one bridge or guard node, and two non-guard nodes for a circuit. Previously, we had added up the sum of all nodes with a descriptor, but that could cause us to build failing circuits when we had either too many bridges or not enough guard nodes. Fixes bug 25885; bugfix on 0.3.6.1-alpha. Patch by Neel Chauhan. o Minor bugfixes (IPv6): - Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the IPv6 socket was bound using an address family of AF_INET instead of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. o Minor bugfixes (linux seccomp sandbox): - Fix startup crash when experimental sandbox support is enabled. Fixes bug 29150; bugfix on 0.4.0.1-alpha. Patch by Peter Gerber. o Minor bugfixes (logging): - Correct a misleading error message when IPv4Only or IPv6Only is used but the resolved address can not be interpreted as an address of the specified IP version. Fixes bug 13221; bugfix on 0.2.3.9-alpha. Patch from Kris Katterjohn. - Log the correct port number for listening sockets when "auto" is used to let Tor pick the port number. Previously, port 0 was logged instead of the actual port number. Fixes bug 29144; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. - Stop logging a BUG() warning when Tor is waiting for exit descriptors. Fixes bug 28656; bugfix on 0.3.5.1-alpha. - Avoid logging that we are relaxing a circuit timeout when that timeout is fixed. Fixes bug 28698; bugfix on 0.2.4.7-alpha. - Log more information at "warning" level when unable to read a private key; log more information at "info" level when unable to read a public key. We had warnings here before, but they were lost during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha. - Rework rep_hist_log_link_protocol_counts() to iterate through all link protocol versions when logging incoming/outgoing connection counts. Tor no longer skips version 5, and we won't have to remember to update this function when new link protocol version is developed. Fixes bug 28920; bugfix on 0.2.6.10. o Minor bugfixes (memory management): - Refactor the shared random state's memory management so that it actually takes ownership of the shared random value pointers. Fixes bug 29706; bugfix on 0.2.9.1-alpha. - Stop leaking parts of the shared random state in the shared-random unit tests. Fixes bug 29599; bugfix on 0.2.9.1-alpha. o Minor bugfixes (misc): - The amount of total available physical memory is now determined using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM) when it is defined and a 64-bit variant is not available. Fixes bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn. o Minor bugfixes (networking): - Introduce additional checks into tor_addr_parse() to reject certain incorrect inputs that previously were not detected. Fixes bug 23082; bugfix on 0.2.0.10-alpha. o Minor bugfixes (onion service v3, client): - Stop logging a "BUG()" warning and stacktrace when we find a SOCKS connection waiting for a descriptor that we actually have in the cache. It turns out that this can actually happen, though it is rare. Now, tor will recover and retry the descriptor. Fixes bug 28669; bugfix on 0.3.2.4-alpha. o Minor bugfixes (onion services): - Avoid crashing if ClientOnionAuthDir (incorrectly) contains more than one private key for a hidden service. Fixes bug 29040; bugfix on 0.3.5.1-alpha. - In hs_cache_store_as_client() log an HSDesc we failed to parse at "debug" level. Tor used to log it as a warning, which caused very long log lines to appear for some users. Fixes bug 29135; bugfix on 0.3.2.1-alpha. - Stop logging "Tried to establish rendezvous on non-OR circuit..." as a warning. Instead, log it as a protocol warning, because there is nothing that relay operators can do to fix it. Fixes bug 29029; bugfix on 0.2.5.7-rc. o Minor bugfixes (periodic events): - Refrain from calling routerlist_remove_old_routers() from check_descriptor_callback(). Instead, create a new hourly periodic event. Fixes bug 27929; bugfix on 0.2.8.1-alpha. o Minor bugfixes (pluggable transports): - Make sure that data is continously read from standard output and standard error pipes of a pluggable transport child-process, to avoid deadlocking when a pipe's buffer is full. Fixes bug 26360; bugfix on 0.2.3.6-alpha. o Minor bugfixes (rust): - Abort on panic in all build profiles, instead of potentially unwinding into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha. o Minor bugfixes (scheduler): - When re-adding channels to the pending list, check the correct channel's sched_heap_idx. This issue has had no effect in mainline Tor, but could have led to bugs down the road in improved versions of our circuit scheduling code. Fixes bug 29508; bugfix on 0.3.2.10. o Minor bugfixes (shellcheck): - Look for scripts in their correct locations during "make shellcheck". Previously we had looked in the wrong place during out-of-tree builds. Fixes bug 30263; bugfix on 0.4.0.1-alpha. o Minor bugfixes (single onion services): - Allow connections to single onion services to remain idle without being disconnected. Previously, relays acting as rendezvous points for single onion services were mistakenly closing idle rendezvous circuits after 60 seconds, thinking that they were unused directory-fetching circuits that had served their purpose. Fixes bug 29665; bugfix on 0.2.1.26. o Minor bugfixes (stats): - When ExtraInfoStatistics is 0, stop including PaddingStatistics in relay and bridge extra-info documents. Fixes bug 29017; bugfix on 0.3.1.1-alpha. o Minor bugfixes (testing): - Backport the 0.3.4 src/test/test-network.sh to 0.2.9. We need a recent test-network.sh to use new chutney features in CI. Fixes bug 29703; bugfix on 0.2.9.1-alpha. - Fix a test failure on Windows caused by an unexpected "BUG" warning in our tests for tor_gmtime_r(-1). Fixes bug 29922; bugfix on 0.2.9.3-alpha. - Downgrade some LOG_ERR messages in the address/* tests to warnings. The LOG_ERR messages were occurring when we had no configured network. We were failing the unit tests, because we backported 28668 to 0.3.5.8, but did not backport 29530. Fixes bug 29530; bugfix on 0.3.5.8. - Fix our gcov wrapper script to look for object files at the correct locations. Fixes bug 29435; bugfix on 0.3.5.1-alpha. - Decrease the false positive rate of stochastic probability distribution tests. Fixes bug 29693; bugfix on 0.4.0.1-alpha. - Fix intermittent failures on an adaptive padding test. Fixes one case of bug 29122; bugfix on 0.4.0.1-alpha. - Disable an unstable circuit-padding test that was failing intermittently because of an ill-defined small histogram. Such histograms will be allowed again after 29298 is implemented. Fixes a second case of bug 29122; bugfix on 0.4.0.1-alpha. - Detect and suppress "bug" warnings from the util/time test on Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha. - Do not log an error-level message if we fail to find an IPv6 network interface from the unit tests. Fixes bug 29160; bugfix on 0.2.7.3-rc. - Instead of relying on hs_free_all() to clean up all onion service objects in test_build_descriptors(), we now deallocate them one by one. This lets Coverity know that we are not leaking memory there and fixes CID 1442277. Fixes bug 28989; bugfix on 0.3.5.1-alpha. - Check the time in the "Expires" header using approx_time(). Fixes bug 30001; bugfix on 0.4.0.4-rc. o Minor bugfixes (TLS protocol): - When classifying a client's selection of TLS ciphers, if the client ciphers are not yet available, do not cache the result. Previously, we had cached the unavailability of the cipher list and never looked again, which in turn led us to assume that the client only supported the ancient V1 link protocol. This, in turn, was causing Stem integration tests to stall in some cases. Fixes bug 30021; bugfix on 0.2.4.8-alpha. o Minor bugfixes (UI): - Lower log level of unlink() errors during bootstrap. Fixes bug 29930; bugfix on 0.4.0.1-alpha. o Minor bugfixes (usability): - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate(). Some users took this phrasing to mean that the mentioned guard was under their control or responsibility, which it is not. Fixes bug 28895; bugfix on Tor 0.3.0.1-alpha. o Minor bugfixes (Windows, CI): - Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit Windows Server 2012 R2 job. The remaining 2 jobs still provide coverage of 64/32-bit, and Windows Server 2016/2012 R2. Also set fast_finish, so failed jobs terminate the build immediately. Fixes bug 29601; bugfix on 0.3.5.4-alpha. o Code simplification and refactoring: - Introduce a connection_dir_buf_add() helper function that detects whether compression is in use, and adds a string accordingly. Resolves issue 28816. - Refactor handle_get_next_bandwidth() to use connection_dir_buf_add(). Implements ticket 29897. - Reimplement NETINFO cell parsing and generation to rely on trunnel-generated wire format handling code. Closes ticket 27325. - Remove unnecessary unsafe code from the Rust macro "cstr!". Closes ticket 28077. - Rework SOCKS wire format handling to rely on trunnel-generated parsing/generation code. Resolves ticket 27620. - Split out bootstrap progress reporting from control.c into a separate file. Part of ticket 27402. - The .may_include files that we use to describe our directory-by- directory dependency structure now describe a noncircular dependency graph over the directories that they cover. Our checkIncludes.py tool now enforces this noncircularity. Closes ticket 28362. o Documentation: - Clarify that Tor performs stream isolation among *Port listeners by default. Resolves issue 29121. - In the manpage entry describing MapAddress torrc setting, use example IP addresses from ranges specified for use in documentation by RFC 5737. Resolves issue 28623. - Mention that you cannot add a new onion service if Tor is already running with Sandbox enabled. Closes ticket 28560. - Improve ControlPort documentation. Mention that it accepts address:port pairs, and can be used multiple times. Closes ticket 28805. - Document the exact output of "tor --version". Closes ticket 28889. o Removed features: - Remove the old check-tor script. Resolves issue 29072. - Stop responding to the 'GETINFO status/version/num-concurring' and 'GETINFO status/version/num-versioning' control port commands, as those were deprecated back in 0.2.0.30. Also stop listing them in output of 'GETINFO info/names'. Resolves ticket 28757. - The scripts used to generate and maintain the list of fallback directories have been extracted into a new "fallback-scripts" repository. Closes ticket 27914. o Testing: - Run shellcheck for scripts in the in scripts/ directory. Closes ticket 28058. - Add unit tests for tokenize_string() and get_next_token() functions. Resolves ticket 27625. o Code simplification and refactoring (onion service v3): - Consolidate the authorized client descriptor cookie computation code from client and service into one function. Closes ticket 27549. o Code simplification and refactoring (shell scripts): - Cleanup scan-build.sh to silence shellcheck warnings. Closes ticket 28007. - Fix issues that shellcheck found in chutney-git-bisect.sh. Resolves ticket 28006. - Fix issues that shellcheck found in updateRustDependencies.sh. Resolves ticket 28012. - Fix shellcheck warnings in cov-diff script. Resolves issue 28009. - Fix shellcheck warnings in run_calltool.sh. Resolves ticket 28011. - Fix shellcheck warnings in run_trunnel.sh. Resolves issue 28010. - Fix shellcheck warnings in scripts/test/coverage. Resolves issue 28008.

1 0