commit 12b1d64b0378450fb8c69dfe81fde2d1cd1b36b1
Author: Nick Mathewson <nickm(a)torproject.org>
Date: Thu Apr 24 15:18:45 2014 -0400
Revise changelog verbiage; try to tighten it up.
---
ChangeLog | 239 +++++++++++++++++++++++++++++--------------------------------
1 file changed, 113 insertions(+), 126 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index cc5f676..01fd1b7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,94 +2,86 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
This release includes several security and performance improvements
for clients and relays, including XXX
- This release marks end-of-line for Tor 0.2.2.x; those Tor versions have
- accumulated many known flaws; everyone should upgrade.
+ This release marks end-of-line for Tor 0.2.2.x; those Tor versions
+ have accumulated many known flaws; everyone should upgrade.
o Major features (security):
- - Block authority signing keys that were used on an authorities
- vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160). (We
+ - Block authority signing keys that were used on authorities
+ vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We
don't have any evidence that these keys _were_ compromised; we're
doing this to be prudent.) Resolves ticket 11464.
o Major features (relay performance):
- - Faster server-side lookups of rendezvous and introduction point
- circuits by using hashtables instead of linear searches over all
- the circuits. These functions previously accounted between 3 and
- 7% of CPU usage on some busy relays.
- - Avoid wasting cycles looking for usable circuit IDs. Previously,
- when allocating a new circuit ID, we would in the worst case do a
- linear scan over the entire possible range of circuit IDs before
- deciding that we had exhausted our possibilities. Now, we try 64
- circuit IDs at random before deciding that we probably won't
- succeed. Fix for a possible root cause of ticket #11553.
-
- o Major features (seccomp2 sandbox):
- - Refinements and improvements to the Linux seccomp2 sandbox code:
- the sandbox can now run a test network for multiple hours without
- crashing. (Previous crash reasons included: reseeding the OpenSSL
- PRNG, seeding the Libevent PRNG, using the wrong combination of
- CLOEXEC and NONBLOCK at the same place and time, having onion
- keys, being an authority, receiving a HUP, or using IPv6.) The
- sandbox is still experimental, and more bugs will probably turn
- up. To try it, enable "Sandbox 1" on a Linux host.
- - Strengthen the Linux seccomp2 sandbox code: the sandbox can now
- test the arguments for rename(), and blocks _sysctl() entirely.
- - When the Linux syscall sandbox finds an illegal system call, it
- now tries to log a stack trace before exiting. Resolves ticket
- 11465.
+ - Speed up server-side lookups of rendezvous and introduction point
+ circuits by using hashtables instead of linear searches. These
+ functions previously accounted between 3 and 7% of CPU usage on
+ some busy relays. Resolves ticket 9841.
+ - Avoid wasting CPU when extending a circuit over a channel that is
+ nearly out of circuit IDs. Previously, we would in the worst case
+ do a linear scan over all possible circuit IDs before deciding
+ that we had exhausted our possibilities. Now, we try at most 64
+ random circuit IDs before deciding that we probably won't succeed.
+ Fix for a possible root cause of ticket #11553.
+
+ o Major features (seccomp2 sandbox, Linux only):
+ - The seccomp2 sandbox can now run a test network for multiple hours
+ without crashing. The sandbox is still experimental, and more bugs
+ will probably turn up. To try it, enable "Sandbox 1" on a Linux
+ host.
+ - Strengthen sandbox code: the sandbox can now test the arguments
+ for rename(), and blocks _sysctl() entirely.
+ - When the sandbox blocks a system call, it now tries to log a stack
+ trace before exiting. Resolves ticket 11465.
o Major bugfixes (TLS cipher selection):
- - Generate the relay's preference list for ciphersuites
- automatically based on uniform criteria, and considering all
- OpenSSL ciphersuites with acceptable strength and forward secrecy.
- (The sort order is: prefer AES to 3DES; break ties by preferring
- ECDHE to DHE; break ties by preferring GCM to CBC; break ties by
- preferring SHA384 to SHA256 to SHA1; and finally, break ties by
- preferring AES256 to AES128.) This resolves bugs #11513, #11492,
- #11498, #11499. Bugs reported by 'cypherpunks'. Bugfix on
+ - The relay ciphersuite list is now generated automatically based on
+ uniform criteria, and includes all OpenSSL ciphersuites with
+ acceptable strength and forward secrecy. Previously, we had
+ omitted some perfectly fine ciphersuites. Resolves bugs #11513,
+ #11492, #11498, #11499. Bugs reported by 'cypherpunks'. Bugfix on
0.2.4.8-alpha.
- Relays now trust themselves to have a better view than clients of
- which TLS ciphersuites to choose. (Thanks to #11513, the relay
- list is now well-considered, whereas the client list has been
- chosen mainly for anti-fingerprinting purposes.) Resolves ticket
- 11528.
- - Update the list of TLS ciphersuites that a client advertises to
- match those advertised by Firefox 28. This enables selection of
- (fast) GCM ciphersuites, disables some strange old ciphers, and
- disables the ECDH (not to be confused with ECDHE) ciphersuites.
- Resolves ticket 11438.
+ which TLS ciphersuites are better than others. (Thanks to #11513,
+ the relay list is now well-considered, whereas the client list has
+ been chosen mainly for anti-fingerprinting purposes.) Relays
+ prefer: AES over 3DES; then ECDHE over DHE; then GCM over CBC;
+ then SHA384 over SHA256 over SHA1; and last, AES256 over AES128.
+ Resolves ticket 11528.
+ - Clients now try to advertise the same list of ciphersuites as
+ Firefox 28. This change enables selection of (fast) GCM
+ ciphersuites, disables some strange old ciphers, and disables the
+ ECDH (not to be confused with ECDHE) ciphersuites. Resolves ticket
+ 11438.
o Major bugfixes (undefined behavior):
- - Fix two instances of possible undefined behavior in channeltls.c
- that could, under unlucky circumstances, have led to a pointer
- overflow. Fixes bug #10363; bugfixes on 0.2.0.10-alpha and
- 0.2.3.6-alpha. Reported by "bobnomnom".
- - Fix another possibly undefined pointer operations in tor_memmem
- fallback implementation. Another case of bug #10363; bugfix on
- 0.1.1.1-alpha.
- - Fix another possibly undefined pointer operations in the eventdns
- fallback implementation. Another case of bug #10363; bugfix on
- 0.1.2.1-alpha.
- - Use AddressSanitizer and Ubsan sanitizers (in clang-3.4) to fix
- some miscellaneous errors in our tests and codebase. Fix for bug
- 11232. Bugfixes on versions back as far as 0.2.1.11-alpha.
+ - Fix various instances of undefined behavior in channeltls.c,
+ tor_memmem(), and eventdns.c, that would cause us to construct
+ pointers to memory outside an allocated object. (These invalid
+ pointers were not accessed, but C does not even allow them to
+ exist.) Fixes bug #10363; bugfixes on 0.2.0.10-alpha,
+ 0.2.3.6-alpha, 0.1.1.1-alpha, and 0.1.2.1-alpha. Reported by
+ "bobnomnom".
+ - Use the AddressSanitizer and Ubsan sanitizers (in clang-3.4) to
+ fix some miscellaneous errors in our tests and codebase. Fix for
+ bug 11232. Bugfixes on versions back as far as 0.2.1.11-alpha.
o Minor features (Transparent proxy, *BSD):
- - Support the ipfw firewall interface for transparent proxy support
- on FreeBSD. To enable it, set "TransProxyType ipfw" in your torrc.
- Resolves ticket 10267; patch from "yurivict".
- - Support OpenBSD's divert-to rules with the pf firewall, when
- "TransProxyType pf-divert" is specified. This allows Tor to run a
- TransPort transparent proxy port on OpenBSD 4.4 or later without
- root privileges. See the pf.conf(5) manual page for information on
- configuring pf to use divert-to rules. Closes ticket 10896; patch
- from Dana Koch.
+ - Support FreeBSD's ipfw firewall interface for TransPort ports. on
+ FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket
+ 10267; patch from "yurivict".
+ - Support OpenBSD's divert-to rules with the pf firewall for
+ transparent proxy ports. To enable it, set "TransProxyType pf-
+ divert". This allows Tor to run a TransPort transparent proxy port
+ on OpenBSD 4.4 or later without root privileges. See the
+ pf.conf(5) manual page for information on configuring pf to use
+ divert-to rules. Closes ticket 10896; patch from Dana Koch.
o Minor features (security):
- - New --enable-expensive-hardening option to turn on security
+ - New --enable-expensive-hardening option to enable security
hardening options that consume nontrivial amounts of CPU and
- memory. Right now, this includes AddressSanitizer and UbSan.
- Closes ticket 11477.
+ memory. Right now, this includes AddressSanitizer and UbSan, which
+ are supported in newer versions of GCC and Clang. Closes ticket
+ 11477.
- If you don't specify MaxMemInQueues yourself, Tor now tries to
pick a good value based on your total system memory. Previously,
the default was always 8 GB. You can still override the default by
@@ -105,16 +97,14 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
at every 5% of progress. Fixes bug 9963.
o Minor features (relay):
- - If a circuit timed out for at least 3 minutes check if we have a
- new external IP address the next time we run our routine checks.
- If our IP address has changed, then publish a new descriptor with
- the new IP address. Resolves ticket 2454.
+ - If a circuit timed out for at least 3 minutes, check if we have a
+ new external IP address, and publish a new descriptor with the new
+ IP address if it changed. Resolves ticket 2454.
- Warn less verbosely when receiving a malformed
ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279.
- When we run out of usable circuit IDs on a channel, log only one
- warning for the whole channel, and include a description of how
- many circuits there were on the channel. Fix for part of ticket
- #11553.
+ warning for the whole channel, and describe how many circuits
+ there were on the channel. Fix for part of ticket #11553.
o Minor features (controller):
- Make the entire exit policy available from the control port via
@@ -131,36 +121,34 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
going unnoticed. Closes ticket 8787.
o Minor features (bridge client):
- - Report a failure to connect to a bridge because its transport type
- has no configured pluggable transport as a new type of bootstrap
- failure. Resolves ticket 9665. Patch from Fábio J. Bertinatto.
+ - Report a more useful failure message when we can't connect to a
+ bridge because we don't have the right pluggable transport
+ configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto.
o Minor features (diagnostic):
- - Try harder to diagnose a possible cause of bug 7164, which causes
+ - Add more log messages to diagnose bug 7164, which causes
intermittent "microdesc_free() called but md was still referenced"
- warnings. We now log more information about the likely error case,
- to try to figure out why we might be cleaning a microdescriptor as
- old if it's still referenced by a live node_t object.
+ warnings. We now include more information, to figure out why we
+ might be cleaning a microdescriptor for being too old if it's
+ still referenced by a live node_t object.
o Minor bugfixes (logging):
- - Log only one message when we start logging in an unsafe way.
- Previously, we would log as many messages as we had problems. Fix
- for #9870; bugfix on 0.2.5.1-alpha.
+ - Warn only once we start logging in an unsafe way. Previously, we
+ complain as many times we had problems. Fix for #9870; bugfix on
+ 0.2.5.1-alpha.
- Using the Linux seccomp2 sandbox no longer prevents stack-trace
logging on crashes or errors. Fixes part 11465; bugfix on
0.2.5.1-alpha.
- Only report the first fatal bootstrap error on a given OR
- connection. This prevents controllers from declaring that a
- connection has failed because of "DONE" or other junk reasons.
- Fixes bug 10431; bugfix on 0.2.1.1-alpha.
- - Improve the warning message when trying to enable the Linux
- sandbox code on a Tor built without libseccomp. Instead of saying
- "Sandbox is not implemented on this platform", we now explain that
- we to need be built with libseccomp. Fixes bug 11543; bugfix on
- 0.2.5.1-alpha.
- - Avoid generating spurious warnings and failure messages when
- starting with DisableNetwork enabled. Fixes bug 11200 and bug
- 10405; bugfix on 0.2.3.9-alpha.
+ connection. This stops us from telling the controller bogus error
+ messages like "DONE". Fixes bug 10431; bugfix on 0.2.1.1-alpha.
+ - Be more helpful when trying to run sandboxed on Linux without
+ libseccomp. Instead of saying "Sandbox is not implemented on this
+ platform", we now explain that we to need be built with
+ libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha.
+ - Avoid generating spurious warnings when starting with
+ DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on
+ 0.2.3.9-alpha.
o Minor bugfixes (closing channels):
- If write_to_buf() in connection_write_to_buf_impl_() ever fails,
@@ -169,12 +157,12 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
connection_mark_for_close() directly. Fixes bug #11304; bugfix on
0.2.4.4-alpha.
- When closing all connections on setting DisableNetwork to 1, use
- connection_or_close_normally() rather than closing OR connections out
- from under the channel layer. Fixes bug #11306; bugfix on
+ connection_or_close_normally() rather than closing OR connections
+ out from under the channel layer. Fixes bug #11306; bugfix on
0.2.4.4-alpha.
o Minor bugfixes (controller):
- - Avoid sending an garbage value to the controller when a circuit is
+ - Avoid sending a garbage value to the controller when a circuit is
cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha.
o Minor bugfixes (tor-fw-helper):
@@ -187,24 +175,24 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
Fixes bug 9650; bugfix on 0.2.3.16-alpha.
o Minor bugfixes (misc):
- - Don't re-initialize a second set of openssl mutexes when starting
- up. Fixes bug 11726; bugfix on 0.2.5.3-alpha.
-
- o Minor bugfixes (memory leaks):
- - Fix a minor memory leak that occurred when signing a directory
- object. Fixes bug 11275; bugfix on 0.2.4.13-alpha.
+ - Don't re-initialize a second set of OpenSSL mutexes when starting
+ up. Previously, we'd make one set of mutexes, and then immediately
+ replace them with another. Fixes bug 11726; bugfix on
+ 0.2.5.3-alpha.
o Minor bugfixes (platform-specific):
- Fix compilation on Solaris, which does not have <endian.h>. Fixes
bug 11426; bugfix on 0.2.5.3-alpha.
- When dumping a malformed directory object to disk, save it in
- binary mode on windows, not text mode. Fixes bug 11342; bugfix on
+ binary mode on Windows, not text mode. Fixes bug 11342; bugfix on
0.2.2.1-alpha.
- - When reporting a failure from make_socket_reuseable(), don't
- report a warning when we get a failure from an incoming socket on
- OSX. Fix for bug 10081.
+ - Don't report failures from make_socket_reuseable() on incoming
+ sockets on OSX: this can happen when incoming connections close
+ early. Fix for bug 10081.
o Minor bugfixes (trivial memory leaks):
+ - Fix a small memory leak when signing a directory object. Fixes bug
+ 11275; bugfix on 0.2.4.13-alpha.
- Free placeholder entries in our circuit table at exit; fixes a
harmless memory leak. Fixes bug 11278; bugfix on 0.2.5.1-alpha.
- Resolve some memory leaks found by coverity in the unit tests, on
@@ -217,23 +205,22 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
times, not 30. Fixes bug #4241; bugfix on 0.1.0.1-rc.
o Minor bugfixes (bridge client):
- - Stop accepting bridge lines containing hostnames. Doing so allowed
- clients to perform DNS requests on the hostnames, which was not
- sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha.
- - Fix a bug where a client-side Tor with pluggable transports would
- take 60 seconds to bootstrap if a config re-read was triggered at
- just the right timing during bootstrap. Re-fixes bug 11156; bugfix
- on 0.2.5.3-alpha.
+ - Stop accepting bridge lines containing hostnames. Doing so would
+ cause clients to perform DNS requests on the hostnames, which was
+ not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha.
+ - Avoid a 60-second delay in the bootstrapping process when a Tor
+ client with pluggable transports re-reads its configuration at
+ just the wrong time. Re-fixes bug 11156; bugfix on 0.2.5.3-alpha.
- Avoid 60-second delays in the bootstrapping process when Tor is
launching for a second time while using bridges. Fixes bug 9229;
bugfix on 0.2.0.3-alpha.
o Minor bugfixes (DNS):
- - When receiving a DNS query for an unsupported type, reply with no
- answer rather than with a NOTIMPL error. This behavior isn't
- correct either, but it will break fewer client programs, we hope.
- Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch from
- "epoch".
+ - When receiving a DNS query for an unsupported record type, reply
+ with no answer rather than with a NOTIMPL error. This behavior
+ isn't correct either, but it will break fewer client programs, we
+ hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch
+ from "epoch".
o Minor bugfixes (exit):
- Stop leaking memory when we successfully resolve a PTR record.
@@ -266,8 +253,8 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
o Deprecated versions:
- Tor 0.2.2.x has reached end-of-life; it has received no patches or
attention for some while. Directory authorities no longer accept
- descriptors from relays running any version of Tor prior to
- Tor 0.2.3.16-alpha. Resolves ticket 11149.
+ descriptors from relays running any version of Tor prior to Tor
+ 0.2.3.16-alpha. Resolves ticket 11149.
o Testing:
- New macros in test.h to simplify writing mock-functions for unit