This is an automated email from the git hooks/post-receive script.

dgoulet pushed a commit to branch main in repository tor.

commit 3b143927b39d243017c9c6f0a1a662c4b302f7e5 Author: Tor CI Release no-email@torproject.org AuthorDate: Thu Aug 11 14:37:39 2022 +0000

version: Bump version to 0.4.5.13-dev --- configure.ac | 4 ++-- contrib/win32build/tor-mingw.nsi.in | 2 +- src/win32/orconfig.h | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac index e4cdb3430d..8e4cb80ae7 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2019, The Tor Project, Inc. dnl See LICENSE for licensing information

AC_PREREQ([2.63]) -AC_INIT([tor],[0.4.5.13]) +AC_INIT([tor],[0.4.5.13-dev]) AC_CONFIG_SRCDIR([src/app/main/tor_main.c]) AC_CONFIG_MACRO_DIR([m4])

@@ -16,7 +16,7 @@ configure_flags="$*" # version number changes. Tor uses it to make sure that it # only shuts down for missing "required protocols" when those protocols # are listed as required by a consensus after this date. -AC_DEFINE(APPROX_RELEASE_DATE, ["2022-08-11"], # for 0.4.5.13 +AC_DEFINE(APPROX_RELEASE_DATE, ["2022-08-11"], # for 0.4.5.13-dev [Approximate date when this software was released. (Updated when the version changes.)])

# "foreign" means we don't follow GNU package layout standards diff --git a/contrib/win32build/tor-mingw.nsi.in b/contrib/win32build/tor-mingw.nsi.in index a7c10c9c25..a795ad05af 100644 --- a/contrib/win32build/tor-mingw.nsi.in +++ b/contrib/win32build/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.4.5.13" +!define VERSION "0.4.5.13-dev" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h index 6b54dba237..4de9237f5c 100644 --- a/src/win32/orconfig.h +++ b/src/win32/orconfig.h @@ -217,7 +217,7 @@ #define USING_TWOS_COMPLEMENT

/* Version number of package */ -#define VERSION "0.4.5.13" +#define VERSION "0.4.5.13-dev"

#define HAVE_STRUCT_SOCKADDR_IN6 #define HAVE_STRUCT_IN6_ADDR

This is an automated email from the git hooks/post-receive script.

dgoulet pushed a commit to branch main in repository tor.

commit 8e868600dd7d7d9566001c46181404ed15c3be61 Author: Tor CI Release no-email@torproject.org AuthorDate: Thu Aug 11 14:37:39 2022 +0000

version: Bump version to 0.4.6.11-dev --- configure.ac | 4 ++-- contrib/win32build/tor-mingw.nsi.in | 2 +- src/win32/orconfig.h | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac index c7a75d581f..a8e73ddae6 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2019, The Tor Project, Inc. dnl See LICENSE for licensing information

AC_PREREQ([2.63]) -AC_INIT([tor],[0.4.6.11]) +AC_INIT([tor],[0.4.6.11-dev]) AC_CONFIG_SRCDIR([src/app/main/tor_main.c]) AC_CONFIG_MACRO_DIR([m4])

@@ -18,7 +18,7 @@ AC_DEFINE_UNQUOTED([CONFIG_FLAGS], ["$configure_flags"], [Flags passed to config # version number changes. Tor uses it to make sure that it # only shuts down for missing "required protocols" when those protocols # are listed as required by a consensus after this date. -AC_DEFINE(APPROX_RELEASE_DATE, ["2022-08-11"], # for 0.4.6.11 +AC_DEFINE(APPROX_RELEASE_DATE, ["2022-08-11"], # for 0.4.6.11-dev [Approximate date when this software was released. (Updated when the version changes.)])

# "foreign" means we don't follow GNU package layout standards diff --git a/contrib/win32build/tor-mingw.nsi.in b/contrib/win32build/tor-mingw.nsi.in index 8999230a4a..80570abf6a 100644 --- a/contrib/win32build/tor-mingw.nsi.in +++ b/contrib/win32build/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.4.6.11" +!define VERSION "0.4.6.11-dev" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h index 991da621de..64b4819dce 100644 --- a/src/win32/orconfig.h +++ b/src/win32/orconfig.h @@ -217,7 +217,7 @@ #define USING_TWOS_COMPLEMENT

/* Version number of package */ -#define VERSION "0.4.6.11" +#define VERSION "0.4.6.11-dev"

#define HAVE_STRUCT_SOCKADDR_IN6 #define HAVE_STRUCT_IN6_ADDR

This is an automated email from the git hooks/post-receive script.

dgoulet pushed a commit to branch main in repository tor.

commit 1506eca5aa387f2911d25bdb6a1459279b713c26 Author: Tor CI Release no-email@torproject.org AuthorDate: Thu Aug 11 14:37:39 2022 +0000

version: Bump version to 0.4.7.9-dev --- configure.ac | 4 ++-- contrib/win32build/tor-mingw.nsi.in | 2 +- src/win32/orconfig.h | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac index 778e485d5c..28d94d3592 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2019, The Tor Project, Inc. dnl See LICENSE for licensing information

AC_PREREQ([2.63]) -AC_INIT([tor],[0.4.7.9]) +AC_INIT([tor],[0.4.7.9-dev]) AC_CONFIG_SRCDIR([src/app/main/tor_main.c]) AC_CONFIG_MACRO_DIR([m4])

@@ -18,7 +18,7 @@ AC_DEFINE_UNQUOTED([CONFIG_FLAGS], ["$configure_flags"], [Flags passed to config # version number changes. Tor uses it to make sure that it # only shuts down for missing "required protocols" when those protocols # are listed as required by a consensus after this date. -AC_DEFINE(APPROX_RELEASE_DATE, ["2022-08-11"], # for 0.4.7.9 +AC_DEFINE(APPROX_RELEASE_DATE, ["2022-08-11"], # for 0.4.7.9-dev [Approximate date when this software was released. (Updated when the version changes.)])

# "foreign" means we don't follow GNU package layout standards diff --git a/contrib/win32build/tor-mingw.nsi.in b/contrib/win32build/tor-mingw.nsi.in index 152d19d6b7..c46ac0024a 100644 --- a/contrib/win32build/tor-mingw.nsi.in +++ b/contrib/win32build/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.4.7.9" +!define VERSION "0.4.7.9-dev" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h index b6a6c69e49..e03e4c8d0f 100644 --- a/src/win32/orconfig.h +++ b/src/win32/orconfig.h @@ -217,7 +217,7 @@ #define USING_TWOS_COMPLEMENT

/* Version number of package */ -#define VERSION "0.4.7.9" +#define VERSION "0.4.7.9-dev"

#define HAVE_STRUCT_SOCKADDR_IN6 #define HAVE_STRUCT_IN6_ADDR

This is an automated email from the git hooks/post-receive script.

dgoulet pushed a commit to branch main in repository tor.

commit bbc29f4a11696012c0fc073daac76d6a726e953a Author: David Goulet dgoulet@torproject.org AuthorDate: Thu Aug 11 11:19:19 2022 -0400

release: Update ChangeLog/ReleaseNotes with latest releases

Signed-off-by: David Goulet dgoulet@torproject.org --- ChangeLog | 212 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ReleaseNotes | 212 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 424 insertions(+)

diff --git a/ChangeLog b/ChangeLog index 0ed1710d7b..7661caf26f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,215 @@ +Changes in version 0.4.7.9 - 2022-08-11 + This version contains several major fixes aimed at reducing memory pressure on + relays and possible side-channel. It also contains a major bugfix related to + congestion control also aimed at reducing memory pressure on relays. + Finally, there is last one major bugfix related to Vanguard L2 layer node + selection. + + We strongly recommend to upgrade to this version especially for Exit relays + in order to help the network defend against this ongoing DDoS. + + o Major bugfixes (congestion control): + - Implement RFC3742 Limited Slow Start. Congestion control was + overshooting the congestion window during slow start, particularly + for onion service activity. With this fix, we now update the + congestion window more often during slow start, as well as dampen + the exponential growth when the congestion window grows above a + capping parameter. This should reduce the memory increases guard + relays were seeing, as well as allow us to set lower queue limits + to defend against ongoing DoS attacks. Fixes bug 40642; bugfix + on 0.4.7.5-alpha. + + o Major bugfixes (relay): + - Remove OR connections btrack subsystem entries when the connections + close normally. Before this, we would only remove the entry on error and + thus leaking memory for each normal OR connections. Fixes bug 40604; + bugfix on 0.4.0.1-alpha. + - Stop sending TRUNCATED cell and instead close the circuit from which we + received a DESTROY cell. This makes every relay in the circuit path to + stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc. + + o Major bugfixes (vanguards): + - We had omitted some checks for whether our vanguards (second layer + guards from proposal 333) overlapped. Now make sure to pick each + of them to be independent. Also, change the design to allow them + to come from the same family. Fixes bug 40639; bugfix + on 0.4.7.1-alpha. + + o Minor features (dirauth): + - Add a torrc option to control the Guard flag bandwidth threshold + percentile. Closes ticket 40652. + - Add an AuthDirVoteGuard torrc option that can allow authorities to + assign the Guard flag to the given fingerprints/country code/IPs. + This is a needed feature mostly for defense purposes in case a DoS + hits the network and relay start losing the Guard flags too fast. + - Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE, + TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable + from torrc. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on August 11, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/08/11. + + o Minor bugfixes (congestion control): + - Add a check for an integer underflow condition that might happen + in cases where the system clock is stopped, the ORconn is blocked, + and the endpoint sends more than a congestion window worth of non- + data control cells at once. This would cause a large congestion + window to be calculated instead of a small one. No security + impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha. + + o Minor bugfixes (defense in depth): + - Change a test in the netflow padding code to make it more + _obviously_ safe against remotely triggered crashes. (It was safe + against these before, but not obviously so.) Fixes bug 40645; + bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (relay): + - Do not propagate either forward or backward a DESTROY remote reason when + closing a circuit in order to avoid a possible side channel. Fixes bug + 40649; bugfix on 0.1.2.4-alpha. + + +Changes in version 0.4.6.11 - 2022-08-11 + This version contains two major fixes aimed at reducing memory pressure on + relays and possible side-channel. The rest of the fixes were backported for + stability or safety purposes. + + This is the very LAST version of this series. As of August 1st 2022, it is + end-of-life (EOL). We thus strongly recommend to upgrade to the latest + stable of the 0.4.7.x series. + + o Major bugfixes (relay): + - Remove OR connections btrack subsystem entries when the connections + close normally. Before this, we would only remove the entry on error and + thus leaking memory for each normal OR connections. Fixes bug 40604; + bugfix on 0.4.0.1-alpha. + - Stop sending TRUNCATED cell and instead close the circuit from which we + received a DESTROY cell. This makes every relay in the circuit path to + stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on August 11, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/08/11. + + o Minor features (linux seccomp2 sandbox): + - Permit the clone3 syscall, which is apparently used in glibc-2.34 + and later. Closes ticket 40590. + + o Minor bugfixes (controller, path bias): + - When a circuit's path is specified, in full or in part, from the + controller API, do not count that circuit towards our path-bias + calculations. (Doing so was incorrect, since we cannot tell + whether the controller is selecting relays randomly.) Resolves a + "Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (defense in depth): + - Change a test in the netflow padding code to make it more + _obviously_ safe against remotely triggered crashes. (It was safe + against these before, but not obviously so.) Fixes bug 40645; + bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (linux seccomp2 sandbox): + - Allow the rseq system call in the sandbox. This solves a crash + issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug + 40601; bugfix on 0.3.5.11. + + o Minor bugfixes (metrics port, onion service): + - The MetricsPort line for an onion service with multiple ports are now + unique that is one line per port. Before this, all ports of an onion + service would be on the same line which violates the Prometheus rules of + unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (onion service, client): + - Fix a fatal assert due to a guard subsystem recursion triggered by + the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (performance, DoS): + - Fix one case of a not-especially viable denial-of-service attack + found by OSS-Fuzz in our consensus-diff parsing code. This attack + causes a lot small of memory allocations and then immediately + frees them: this is only slow when running with all the sanitizers + enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (relay): + - Do not propagate either forward or backward a DESTROY remote reason when + closing a circuit in order to avoid a possible side channel. Fixes bug + 40649; bugfix on 0.1.2.4-alpha. + + +Changes in version 0.4.5.13 - 2022-08-11 + This version contains two major fixes aimed at reducing memory pressure on + relays and possible side-channel. The rest of the fixes were backported for + stability or safety purposes. We strongly recommend to upgrade your relay to + this version or, ideally, to the latest stable of the 0.4.7.x series. + + o Major bugfixes (relay): + - Remove OR connections btrack subsystem entries when the connections + close normally. Before this, we would only remove the entry on error and + thus leaking memory for each normal OR connections. Fixes bug 40604; + bugfix on 0.4.0.1-alpha. + - Stop sending TRUNCATED cell and instead close the circuit from which we + received a DESTROY cell. This makes every relay in the circuit path to + stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on August 11, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/08/11. + + o Minor features (linux seccomp2 sandbox): + - Permit the clone3 syscall, which is apparently used in glibc-2.34 + and later. Closes ticket 40590. + + o Minor bugfixes (controller, path bias): + - When a circuit's path is specified, in full or in part, from the + controller API, do not count that circuit towards our path-bias + calculations. (Doing so was incorrect, since we cannot tell + whether the controller is selecting relays randomly.) Resolves a + "Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (defense in depth): + - Change a test in the netflow padding code to make it more + _obviously_ safe against remotely triggered crashes. (It was safe + against these before, but not obviously so.) Fixes bug 40645; + bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (linux seccomp2 sandbox): + - Allow the rseq system call in the sandbox. This solves a crash + issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug + 40601; bugfix on 0.3.5.11. + + o Minor bugfixes (metrics port, onion service): + - The MetricsPort line for an onion service with multiple ports are now + unique that is one line per port. Before this, all ports of an onion + service would be on the same line which violates the Prometheus rules of + unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (onion service, client): + - Fix a fatal assert due to a guard subsystem recursion triggered by + the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (performance, DoS): + - Fix one case of a not-especially viable denial-of-service attack + found by OSS-Fuzz in our consensus-diff parsing code. This attack + causes a lot small of memory allocations and then immediately + frees them: this is only slow when running with all the sanitizers + enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (relay): + - Do not propagate either forward or backward a DESTROY remote reason when + closing a circuit in order to avoid a possible side channel. Fixes bug + 40649; bugfix on 0.1.2.4-alpha. + + Changes in version 0.4.7.8 - 2022-06-17 This version fixes several bugfixes including a High severity security issue categorized as a Denial of Service. Everyone running an earlier version diff --git a/ReleaseNotes b/ReleaseNotes index ae90f71510..a1c741ce84 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -2,6 +2,218 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file.

+Changes in version 0.4.7.9 - 2022-08-11 + This version contains several major fixes aimed at reducing memory pressure on + relays and possible side-channel. It also contains a major bugfix related to + congestion control also aimed at reducing memory pressure on relays. + Finally, there is last one major bugfix related to Vanguard L2 layer node + selection. + + We strongly recommend to upgrade to this version especially for Exit relays + in order to help the network defend against this ongoing DDoS. + + o Major bugfixes (congestion control): + - Implement RFC3742 Limited Slow Start. Congestion control was + overshooting the congestion window during slow start, particularly + for onion service activity. With this fix, we now update the + congestion window more often during slow start, as well as dampen + the exponential growth when the congestion window grows above a + capping parameter. This should reduce the memory increases guard + relays were seeing, as well as allow us to set lower queue limits + to defend against ongoing DoS attacks. Fixes bug 40642; bugfix + on 0.4.7.5-alpha. + + o Major bugfixes (relay): + - Remove OR connections btrack subsystem entries when the connections + close normally. Before this, we would only remove the entry on error and + thus leaking memory for each normal OR connections. Fixes bug 40604; + bugfix on 0.4.0.1-alpha. + - Stop sending TRUNCATED cell and instead close the circuit from which we + received a DESTROY cell. This makes every relay in the circuit path to + stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc. + + o Major bugfixes (vanguards): + - We had omitted some checks for whether our vanguards (second layer + guards from proposal 333) overlapped. Now make sure to pick each + of them to be independent. Also, change the design to allow them + to come from the same family. Fixes bug 40639; bugfix + on 0.4.7.1-alpha. + + o Minor features (dirauth): + - Add a torrc option to control the Guard flag bandwidth threshold + percentile. Closes ticket 40652. + - Add an AuthDirVoteGuard torrc option that can allow authorities to + assign the Guard flag to the given fingerprints/country code/IPs. + This is a needed feature mostly for defense purposes in case a DoS + hits the network and relay start losing the Guard flags too fast. + - Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE, + TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable + from torrc. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on August 11, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/08/11. + + o Minor bugfixes (congestion control): + - Add a check for an integer underflow condition that might happen + in cases where the system clock is stopped, the ORconn is blocked, + and the endpoint sends more than a congestion window worth of non- + data control cells at once. This would cause a large congestion + window to be calculated instead of a small one. No security + impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha. + + o Minor bugfixes (defense in depth): + - Change a test in the netflow padding code to make it more + _obviously_ safe against remotely triggered crashes. (It was safe + against these before, but not obviously so.) Fixes bug 40645; + bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (relay): + - Do not propagate either forward or backward a DESTROY remote reason when + closing a circuit in order to avoid a possible side channel. Fixes bug + 40649; bugfix on 0.1.2.4-alpha. + + +Changes in version 0.4.6.11 - 2022-08-11 + This version contains two major fixes aimed at reducing memory pressure on + relays and possible side-channel. The rest of the fixes were backported for + stability or safety purposes. + + This is the very LAST version of this series. As of August 1st 2022, it is + end-of-life (EOL). We thus strongly recommend to upgrade to the latest + stable of the 0.4.7.x series. + + o Major bugfixes (relay): + - Remove OR connections btrack subsystem entries when the connections + close normally. Before this, we would only remove the entry on error and + thus leaking memory for each normal OR connections. Fixes bug 40604; + bugfix on 0.4.0.1-alpha. + - Stop sending TRUNCATED cell and instead close the circuit from which we + received a DESTROY cell. This makes every relay in the circuit path to + stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on August 11, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/08/11. + + o Minor features (linux seccomp2 sandbox): + - Permit the clone3 syscall, which is apparently used in glibc-2.34 + and later. Closes ticket 40590. + + o Minor bugfixes (controller, path bias): + - When a circuit's path is specified, in full or in part, from the + controller API, do not count that circuit towards our path-bias + calculations. (Doing so was incorrect, since we cannot tell + whether the controller is selecting relays randomly.) Resolves a + "Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (defense in depth): + - Change a test in the netflow padding code to make it more + _obviously_ safe against remotely triggered crashes. (It was safe + against these before, but not obviously so.) Fixes bug 40645; + bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (linux seccomp2 sandbox): + - Allow the rseq system call in the sandbox. This solves a crash + issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug + 40601; bugfix on 0.3.5.11. + + o Minor bugfixes (metrics port, onion service): + - The MetricsPort line for an onion service with multiple ports are now + unique that is one line per port. Before this, all ports of an onion + service would be on the same line which violates the Prometheus rules of + unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (onion service, client): + - Fix a fatal assert due to a guard subsystem recursion triggered by + the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (performance, DoS): + - Fix one case of a not-especially viable denial-of-service attack + found by OSS-Fuzz in our consensus-diff parsing code. This attack + causes a lot small of memory allocations and then immediately + frees them: this is only slow when running with all the sanitizers + enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (relay): + - Do not propagate either forward or backward a DESTROY remote reason when + closing a circuit in order to avoid a possible side channel. Fixes bug + 40649; bugfix on 0.1.2.4-alpha. + + +Changes in version 0.4.5.13 - 2022-08-11 + This version contains two major fixes aimed at reducing memory pressure on + relays and possible side-channel. The rest of the fixes were backported for + stability or safety purposes. We strongly recommend to upgrade your relay to + this version or, ideally, to the latest stable of the 0.4.7.x series. + + o Major bugfixes (relay): + - Remove OR connections btrack subsystem entries when the connections + close normally. Before this, we would only remove the entry on error and + thus leaking memory for each normal OR connections. Fixes bug 40604; + bugfix on 0.4.0.1-alpha. + - Stop sending TRUNCATED cell and instead close the circuit from which we + received a DESTROY cell. This makes every relay in the circuit path to + stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on August 11, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/08/11. + + o Minor features (linux seccomp2 sandbox): + - Permit the clone3 syscall, which is apparently used in glibc-2.34 + and later. Closes ticket 40590. + + o Minor bugfixes (controller, path bias): + - When a circuit's path is specified, in full or in part, from the + controller API, do not count that circuit towards our path-bias + calculations. (Doing so was incorrect, since we cannot tell + whether the controller is selecting relays randomly.) Resolves a + "Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (defense in depth): + - Change a test in the netflow padding code to make it more + _obviously_ safe against remotely triggered crashes. (It was safe + against these before, but not obviously so.) Fixes bug 40645; + bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (linux seccomp2 sandbox): + - Allow the rseq system call in the sandbox. This solves a crash + issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug + 40601; bugfix on 0.3.5.11. + + o Minor bugfixes (metrics port, onion service): + - The MetricsPort line for an onion service with multiple ports are now + unique that is one line per port. Before this, all ports of an onion + service would be on the same line which violates the Prometheus rules of + unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (onion service, client): + - Fix a fatal assert due to a guard subsystem recursion triggered by + the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (performance, DoS): + - Fix one case of a not-especially viable denial-of-service attack + found by OSS-Fuzz in our consensus-diff parsing code. This attack + causes a lot small of memory allocations and then immediately + frees them: this is only slow when running with all the sanitizers + enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (relay): + - Do not propagate either forward or backward a DESTROY remote reason when + closing a circuit in order to avoid a possible side channel. Fixes bug + 40649; bugfix on 0.1.2.4-alpha. + + Changes in version 0.4.7.8 - 2022-06-17 This version fixes several bugfixes including a High severity security issue categorized as a Denial of Service. Everyone running an earlier version