Tor is out

Roger Dingledine arma at
Thu Feb 8 05:32:38 UTC 2007

This is the seventh development snapshot for the 0.1.2.x series. It makes
rate limiting much more comfortable for servers, along with a huge pile
of other bugfixes.

Changes in version - 2007-02-06
  o Major bugfixes (rate limiting):
    - Servers decline directory requests much more aggressively when
      they're low on bandwidth. Otherwise they end up queueing more and
      more directory responses, which can't be good for latency.
    - But never refuse directory requests from local addresses.
    - Fix a memory leak when sending a 503 response for a networkstatus
    - Be willing to read or write on local connections (e.g. controller
      connections) even when the global rate limiting buckets are empty.
    - If our system clock jumps back in time, don't publish a negative
      uptime in the descriptor. Also, don't let the global rate limiting
      buckets go absurdly negative.
    - Flush local controller connection buffers periodically as we're
      writing to them, so we avoid queueing 4+ megabytes of data before
      trying to flush.

  o Major bugfixes (NT services):
    - Install as NT_AUTHORITY\LocalService rather than as SYSTEM; add a
      command-line flag so that admins can override the default by saying
      "tor --service install --user "SomeUser"".  This will not affect
      existing installed services.  Also, warn the user that the service
      will look for its configuration file in the service user's
      %appdata% directory.  (We can't do the 'hardwire the user's appdata
      directory' trick any more, since we may not have read access to that

  o Major bugfixes (other):
    - Previously, we would cache up to 16 old networkstatus documents
      indefinitely, if they came from nontrusted authorities. Now we
      discard them if they are more than 10 days old.
    - Fix a crash bug in the presence of DNS hijacking (reported by Andrew
      Del Vecchio).
    - Detect and reject malformed DNS responses containing circular
      pointer loops.
    - If exits are rare enough that we're not marking exits as guards,
      ignore exit bandwidth when we're deciding the required bandwidth
      to become a guard.
    - When we're handling a directory connection tunneled over Tor,
      don't fill up internal memory buffers with all the data we want
      to tunnel; instead, only add it if the OR connection that will
      eventually receive it has some room for it. (This can lead to
      slowdowns in tunneled dir connections; a better solution will have
      to wait for 0.2.0.)

  o Minor bugfixes (dns):
    - Add some defensive programming to eventdns.c in an attempt to catch
      possible memory-stomping bugs.
    - Detect and reject DNS replies containing IPv4 or IPv6 records with
      an incorrect number of bytes. (Previously, we would ignore the
      extra bytes.)
    - Fix as-yet-unused reverse IPv6 lookup code so it sends nybbles
      in the correct order, and doesn't crash.
    - Free memory held in recently-completed DNS lookup attempts on exit.
      This was not a memory leak, but may have been hiding memory leaks.
    - Handle TTL values correctly on reverse DNS lookups.
    - Treat failure to parse resolv.conf as an error.

  o Minor bugfixes (other):
    - Fix crash with "tor --list-fingerprint" (reported by seeess).
    - When computing clock skew from directory HTTP headers, consider what
      time it was when we finished asking for the directory, not what
      time it is now.
    - Expire socks connections if they spend too long waiting for the
      handshake to finish. Previously we would let them sit around for
      days, if the connecting application didn't close them either.
    - And if the socks handshake hasn't started, don't send a
      "DNS resolve socks failed" handshake reply; just close it.
    - Stop using C functions that OpenBSD's linker doesn't like.
    - Don't launch requests for descriptors unless we have networkstatuses
      from at least half of the authorities.  This delays the first
      download slightly under pathological circumstances, but can prevent
      us from downloading a bunch of descriptors we don't need.
    - Do not log IPs with TLS failures for incoming TLS
      connections. (Fixes bug 382.)
    - If the user asks to use invalid exit nodes, be willing to use
      unstable ones.
    - Stop using the reserved ac_cv namespace in our configure script.
    - Call stat() slightly less often; use fstat() when possible.
    - Refactor the way we handle pending circuits when an OR connection
      completes or fails, in an attempt to fix a rare crash bug.
    - Only rewrite a conn's address based on X-Forwarded-For: headers
      if it's a parseable public IP address; and stop adding extra quotes
      to the resulting address.

  o Major features:
    - Weight directory requests by advertised bandwidth. Now we can
      let servers enable write limiting but still allow most clients to
      succeed at their directory requests. (We still ignore weights when
      choosing a directory authority; I hope this is a feature.)

  o Minor features:
    - Create a new file ReleaseNotes which was the old ChangeLog. The
      new ChangeLog file now includes the summaries for all development
      versions too.
    - Check for addresses with invalid characters at the exit as well
      as at the client, and warn less verbosely when they fail. You can
      override this by setting ServerDNSAllowNonRFC953Addresses to 1.
    - Adapt a patch from goodell to let the contrib/exitlist script
      take arguments rather than require direct editing.
    - Inform the server operator when we decide not to advertise a
      DirPort due to AccountingMax enabled or a low BandwidthRate. It
      was confusing Zax, so now we're hopefully more helpful.
    - Bring us one step closer to being able to establish an encrypted
      directory tunnel without knowing a descriptor first. Still not
      ready yet. As part of the change, now assume we can use a
      create_fast cell if we don't know anything about a router.
    - Allow exit nodes to use nameservers running on ports other than 53.
    - Servers now cache reverse DNS replies.
    - Add an --ignore-missing-torrc command-line option so that we can
      get the "use sensible defaults if the configuration file doesn't
      exist" behavior even when specifying a torrc location on the command

  o Minor features (controller):
    - Track reasons for OR connection failure; make these reasons
      available via the controller interface. (Patch from Mike Perry.)
    - Add a SOCKS_BAD_HOSTNAME client status event so controllers
      can learn when clients are sending malformed hostnames to Tor.
    - Clean up documentation for controller status events.
    - Add a REMAP status to stream events to note that a stream's
      address has changed because of a cached address or a MapAddress

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <>

More information about the tor-talk mailing list