mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-19 01:40:23 +01:00
Copy changelog and releasenotes entries from today's releases.
This commit is contained in:
parent
9f35dd9e8a
commit
9a14f1ef64
667
ChangeLog
667
ChangeLog
@ -1,3 +1,670 @@
|
||||
|
||||
Changes in version 0.3.3.3-alpha - 2018-03-03
|
||||
Tor 0.3.3.3-alpha is the third alpha release for the 0.3.3.x series.
|
||||
It includes an important security fix for a remote crash attack
|
||||
against directory authorities tracked as TROVE-2018-001.
|
||||
|
||||
Additionally, with this release, we are upgrading the severity of a
|
||||
bug fixed in 0.3.3.2-alpha. Bug 24700, which was fixed in
|
||||
0.3.3.2-alpha, can be remotely triggered in order to crash relays with
|
||||
a use-after-free pattern. As such, we are now tracking that bug as
|
||||
TROVE-2018-002 and CVE-2018-0491. This bug affected versions
|
||||
0.3.2.1-alpha through 0.3.2.9, as well as 0.3.3.1-alpha.
|
||||
|
||||
This release also fixes several minor bugs and annoyances from
|
||||
earlier releases.
|
||||
|
||||
Relays running 0.3.2.x should upgrade to one of the versions released
|
||||
today, for the fix to TROVE-2018-002. Directory authorities should
|
||||
also upgrade. (Relays on earlier versions might want to update too for
|
||||
the DoS mitigations.)
|
||||
|
||||
o Major bugfixes (denial-of-service, directory authority):
|
||||
- Fix a protocol-list handling bug that could be used to remotely crash
|
||||
directory authorities with a null-pointer exception. Fixes bug 25074;
|
||||
bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
|
||||
CVE-2018-0490.
|
||||
|
||||
o Minor features (compatibility, OpenSSL):
|
||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||
Previous versions of Tor would not have worked with OpenSSL 1.1.1,
|
||||
since they neither disabled TLS 1.3 nor enabled any of the
|
||||
ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
|
||||
Closes ticket 24978.
|
||||
|
||||
o Minor features (logging):
|
||||
- Clarify the log messages produced when getrandom() or a related
|
||||
entropy-generation mechanism gives an error. Closes ticket 25120.
|
||||
|
||||
o Minor features (testing):
|
||||
- Add a "make test-rust" target to run the rust tests only. Closes
|
||||
ticket 25071.
|
||||
|
||||
o Minor bugfixes (denial-of-service):
|
||||
- Fix a possible crash on malformed consensus. If a consensus had
|
||||
contained an unparseable protocol line, it could have made clients
|
||||
and relays crash with a null-pointer exception. To exploit this
|
||||
issue, however, an attacker would need to be able to subvert the
|
||||
directory authority system. Fixes bug 25251; bugfix on
|
||||
0.2.9.4-alpha. Also tracked as TROVE-2018-004.
|
||||
|
||||
o Minor bugfixes (DoS mitigation):
|
||||
- Add extra safety checks when refilling the circuit creation bucket
|
||||
to ensure we never set a value above the allowed maximum burst.
|
||||
Fixes bug 25202; bugfix on 0.3.3.2-alpha.
|
||||
- When a new consensus arrives, don't update our DoS-mitigation
|
||||
parameters if we aren't a public relay. Fixes bug 25223; bugfix
|
||||
on 0.3.3.2-alpha.
|
||||
|
||||
o Minor bugfixes (man page, SocksPort):
|
||||
- Remove dead code from the old "SocksSocket" option, and rename
|
||||
SocksSocketsGroupWritable to UnixSocksGroupWritable. The old option
|
||||
still works, but is deprecated. Fixes bug 24343; bugfix on 0.2.6.3.
|
||||
|
||||
o Minor bugfixes (performance):
|
||||
- Reduce the number of circuits that will be opened at once during
|
||||
the circuit build timeout phase. This is done by increasing the
|
||||
idle timeout to 3 minutes, and lowering the maximum number of
|
||||
concurrent learning circuits to 10. Fixes bug 24769; bugfix
|
||||
on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (spec conformance):
|
||||
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
||||
0.2.9.4-alpha.
|
||||
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
||||
bugfix on 0.2.9.4-alpha.
|
||||
|
||||
o Minor bugfixes (spec conformance, rust):
|
||||
- Resolve a denial-of-service issue caused by an infinite loop in
|
||||
the rust protover code. Fixes bug 25250, bugfix on 0.3.3.1-alpha.
|
||||
Also tracked as TROVE-2018-003.
|
||||
|
||||
o Code simplification and refactoring:
|
||||
- Update the "rust dependencies" submodule to be a project-level
|
||||
repository, rather than a user repository. Closes ticket 25323.
|
||||
|
||||
|
||||
Changes in version 0.3.2.10 - 2018-03-03
|
||||
Tor 0.3.2.10 is the second stable release in the 0.3.2 series. It
|
||||
backports a number of bugfixes, including important fixes for security
|
||||
issues.
|
||||
|
||||
It includes an important security fix for a remote crash attack
|
||||
against directory authorities, tracked as TROVE-2018-001.
|
||||
|
||||
Additionally, it backports a fix for a bug whose severity we have
|
||||
upgraded: Bug 24700, which was fixed in 0.3.3.2-alpha, can be remotely
|
||||
triggered in order to crash relays with a use-after-free pattern. As
|
||||
such, we are now tracking that bug as TROVE-2018-002 and
|
||||
CVE-2018-0491, and backporting it to earlier releases. This bug
|
||||
affected versions 0.3.2.1-alpha through 0.3.2.9, as well as version
|
||||
0.3.3.1-alpha.
|
||||
|
||||
This release also backports our new system for improved resistance to
|
||||
denial-of-service attacks against relays.
|
||||
|
||||
This release also fixes several minor bugs and annoyances from
|
||||
earlier releases.
|
||||
|
||||
Relays running 0.3.2.x SHOULD upgrade to one of the versions released
|
||||
today, for the fix to TROVE-2018-002. Directory authorities should
|
||||
also upgrade. (Relays on earlier versions might want to update too for
|
||||
the DoS mitigations.)
|
||||
|
||||
o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
|
||||
- Fix a protocol-list handling bug that could be used to remotely crash
|
||||
directory authorities with a null-pointer exception. Fixes bug 25074;
|
||||
bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
|
||||
CVE-2018-0490.
|
||||
|
||||
o Major bugfixes (scheduler, KIST, denial-of-service, backport from 0.3.3.2-alpha):
|
||||
- Avoid adding the same channel twice in the KIST scheduler pending
|
||||
list, which could lead to remote denial-of-service use-after-free
|
||||
attacks against relays. Fixes bug 24700; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha):
|
||||
- Give relays some defenses against the recent network overload. We
|
||||
start with three defenses (default parameters in parentheses).
|
||||
First: if a single client address makes too many concurrent
|
||||
connections (>100), hang up on further connections. Second: if a
|
||||
single client address makes circuits too quickly (more than 3 per
|
||||
second, with an allowed burst of 90) while also having too many
|
||||
connections open (3), refuse new create cells for the next while
|
||||
(1-2 hours). Third: if a client asks to establish a rendezvous
|
||||
point to you directly, ignore the request. These defenses can be
|
||||
manually controlled by new torrc options, but relays will also
|
||||
take guidance from consensus parameters, so there's no need to
|
||||
configure anything manually. Implements ticket 24902.
|
||||
|
||||
o Major bugfixes (onion services, retry behavior, backport from 0.3.3.1-alpha):
|
||||
- Fix an "off by 2" error in counting rendezvous failures on the
|
||||
onion service side. While we thought we would stop the rendezvous
|
||||
attempt after one failed circuit, we were actually making three
|
||||
circuit attempts before giving up. Now switch to a default of 2,
|
||||
and allow the consensus parameter "hs_service_max_rdv_failures" to
|
||||
override. Fixes bug 24895; bugfix on 0.0.6.
|
||||
- New-style (v3) onion services now obey the "max rendezvous circuit
|
||||
attempts" logic. Previously they would make as many rendezvous
|
||||
circuit attempts as they could fit in the MAX_REND_TIMEOUT second
|
||||
window before giving up. Fixes bug 24894; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Major bugfixes (protocol versions, backport from 0.3.3.2-alpha):
|
||||
- Add Link protocol version 5 to the supported protocols list. Fixes
|
||||
bug 25070; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Major bugfixes (relay, backport from 0.3.3.1-alpha):
|
||||
- Fix a set of false positives where relays would consider
|
||||
connections to other relays as being client-only connections (and
|
||||
thus e.g. deserving different link padding schemes) if those
|
||||
relays fell out of the consensus briefly. Now we look only at the
|
||||
initial handshake and whether the connection authenticated as a
|
||||
relay. Fixes bug 24898; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Major bugfixes (scheduler, consensus, backport from 0.3.3.2-alpha):
|
||||
- The scheduler subsystem was failing to promptly notice changes in
|
||||
consensus parameters, making it harder to switch schedulers
|
||||
network-wide. Fixes bug 24975; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor features (denial-of-service avoidance, backport from 0.3.3.2-alpha):
|
||||
- Make our OOM handler aware of the geoip client history cache so it
|
||||
doesn't fill up the memory. This check is important for IPv6 and
|
||||
our DoS mitigation subsystem. Closes ticket 25122.
|
||||
|
||||
o Minor features (compatibility, OpenSSL, backport from 0.3.3.3-alpha):
|
||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||
Previous versions of Tor would not have worked with OpenSSL 1.1.1,
|
||||
since they neither disabled TLS 1.3 nor enabled any of the
|
||||
ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
|
||||
Closes ticket 24978.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor features (logging, diagnostic, backport from 0.3.3.2-alpha):
|
||||
- When logging a failure to check a hidden service's certificate,
|
||||
also log what the problem with the certificate was. Diagnostic
|
||||
for ticket 24972.
|
||||
|
||||
o Minor bugfix (channel connection, backport from 0.3.3.2-alpha):
|
||||
- Use the actual observed address of an incoming relay connection,
|
||||
not the canonical address of the relay from its descriptor, when
|
||||
making decisions about how to handle the incoming connection.
|
||||
Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
|
||||
|
||||
o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
|
||||
- Fix a possible crash on malformed consensus. If a consensus had
|
||||
contained an unparseable protocol line, it could have made clients
|
||||
and relays crash with a null-pointer exception. To exploit this
|
||||
issue, however, an attacker would need to be able to subvert the
|
||||
directory authority system. Fixes bug 25251; bugfix on
|
||||
0.2.9.4-alpha. Also tracked as TROVE-2018-004.
|
||||
|
||||
o Minor bugfix (directory authority, backport from 0.3.3.2-alpha):
|
||||
- Directory authorities, when refusing a descriptor from a rejected
|
||||
relay, now explicitly tell the relay (in its logs) to set a valid
|
||||
ContactInfo address and contact the bad-relays@ mailing list.
|
||||
Fixes bug 25170; bugfix on 0.2.9.1.
|
||||
|
||||
o Minor bugfixes (build, rust, backport from 0.3.3.1-alpha):
|
||||
- When building with Rust on OSX, link against libresolv, to work
|
||||
around the issue at https://github.com/rust-lang/rust/issues/46797.
|
||||
Fixes bug 24652; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (onion services, backport from 0.3.3.2-alpha):
|
||||
- Remove a BUG() statement when a client fetches an onion descriptor
|
||||
that has a lower revision counter than the one in its cache. This
|
||||
can happen in normal circumstances due to HSDir desync. Fixes bug
|
||||
24976; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (logging, backport from 0.3.3.2-alpha):
|
||||
- Don't treat inability to store a cached consensus object as a bug:
|
||||
it can happen normally when we are out of disk space. Fixes bug
|
||||
24859; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (performance, fragile-hardening, backport from 0.3.3.1-alpha):
|
||||
- Improve the performance of our consensus-diff application code
|
||||
when Tor is built with the --enable-fragile-hardening option set.
|
||||
Fixes bug 24826; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (OSX, backport from 0.3.3.1-alpha):
|
||||
- Don't exit the Tor process if setrlimit() fails to change the file
|
||||
limit (which can happen sometimes on some versions of OSX). Fixes
|
||||
bug 21074; bugfix on 0.0.9pre5.
|
||||
|
||||
o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
|
||||
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
||||
0.2.9.4-alpha.
|
||||
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
||||
bugfix on 0.2.9.4-alpha.
|
||||
|
||||
o Minor bugfixes (testing, backport from 0.3.3.1-alpha):
|
||||
- Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug
|
||||
25005; bugfix on 0.3.2.7-rc.
|
||||
|
||||
o Minor bugfixes (v3 onion services, backport from 0.3.3.2-alpha):
|
||||
- Look at the "HSRend" protocol version, not the "HSDir" protocol
|
||||
version, when deciding whether a consensus entry can support the
|
||||
v3 onion service protocol as a rendezvous point. Fixes bug 25105;
|
||||
bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Code simplification and refactoring (backport from 0.3.3.3-alpha):
|
||||
- Update the "rust dependencies" submodule to be a project-level
|
||||
repository, rather than a user repository. Closes ticket 25323.
|
||||
|
||||
o Documentation (backport from 0.3.3.1-alpha)
|
||||
- Document that operators who run more than one relay or bridge are
|
||||
expected to set MyFamily and ContactInfo correctly. Closes
|
||||
ticket 24526.
|
||||
|
||||
|
||||
Changes in version 0.3.1.10 - 2018-03-03
|
||||
Tor 0.3.1.10 backports a number of bugfixes, including important fixes for
|
||||
security issues.
|
||||
|
||||
It includes an important security fix for a remote crash attack
|
||||
against directory authorities, tracked as TROVE-2018-001.
|
||||
|
||||
This release also backports our new system for improved resistance to
|
||||
denial-of-service attacks against relays.
|
||||
|
||||
This release also fixes several minor bugs and annoyances from
|
||||
earlier releases.
|
||||
|
||||
All directory authorities should upgrade to one of the versions
|
||||
released today. Relays running 0.3.1.x may wish to update to one of
|
||||
the versions released today, for the DoS mitigations.
|
||||
|
||||
Please note: according to our release calendar, Tor 0.3.1 will no
|
||||
longer be supported after 1 July 2018. If you will be running Tor
|
||||
after that date, you should make sure to plan to upgrade to the latest
|
||||
stable version, or downgrade to 0.2.9 (which will receive long-term
|
||||
support).
|
||||
|
||||
o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
|
||||
- Fix a protocol-list handling bug that could be used to remotely crash
|
||||
directory authorities with a null-pointer exception. Fixes bug 25074;
|
||||
bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
|
||||
CVE-2018-0490.
|
||||
|
||||
o Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha):
|
||||
- Give relays some defenses against the recent network overload. We
|
||||
start with three defenses (default parameters in parentheses).
|
||||
First: if a single client address makes too many concurrent
|
||||
connections (>100), hang up on further connections. Second: if a
|
||||
single client address makes circuits too quickly (more than 3 per
|
||||
second, with an allowed burst of 90) while also having too many
|
||||
connections open (3), refuse new create cells for the next while
|
||||
(1-2 hours). Third: if a client asks to establish a rendezvous
|
||||
point to you directly, ignore the request. These defenses can be
|
||||
manually controlled by new torrc options, but relays will also
|
||||
take guidance from consensus parameters, so there's no need to
|
||||
configure anything manually. Implements ticket 24902.
|
||||
|
||||
o Minor features (linux seccomp2 sandbox, backport from 0.3.2.5-alpha):
|
||||
- Update the sandbox rules so that they should now work correctly
|
||||
with Glibc 2.26. Closes ticket 24315.
|
||||
|
||||
o Major bugfixes (onion services, retry behavior, backport from 0.3.3.1-alpha):
|
||||
- Fix an "off by 2" error in counting rendezvous failures on the
|
||||
onion service side. While we thought we would stop the rendezvous
|
||||
attempt after one failed circuit, we were actually making three
|
||||
circuit attempts before giving up. Now switch to a default of 2,
|
||||
and allow the consensus parameter "hs_service_max_rdv_failures" to
|
||||
override. Fixes bug 24895; bugfix on 0.0.6.
|
||||
|
||||
o Major bugfixes (protocol versions, backport from 0.3.3.2-alpha):
|
||||
- Add Link protocol version 5 to the supported protocols list. Fixes
|
||||
bug 25070; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Major bugfixes (relay, backport from 0.3.3.1-alpha):
|
||||
- Fix a set of false positives where relays would consider
|
||||
connections to other relays as being client-only connections (and
|
||||
thus e.g. deserving different link padding schemes) if those
|
||||
relays fell out of the consensus briefly. Now we look only at the
|
||||
initial handshake and whether the connection authenticated as a
|
||||
relay. Fixes bug 24898; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor features (denial-of-service avoidance, backport from 0.3.3.2-alpha):
|
||||
- Make our OOM handler aware of the geoip client history cache so it
|
||||
doesn't fill up the memory. This check is important for IPv6 and
|
||||
our DoS mitigation subsystem. Closes ticket 25122.
|
||||
|
||||
o Minor feature (relay statistics, backport from 0.3.2.6-alpha):
|
||||
- Change relay bandwidth reporting stats interval from 4 hours to 24
|
||||
hours in order to reduce the efficiency of guard discovery
|
||||
attacks. Fixes ticket 23856.
|
||||
|
||||
o Minor features (compatibility, OpenSSL, backport from 0.3.3.3-alpha):
|
||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||
Previous versions of Tor would not have worked with OpenSSL 1.1.1,
|
||||
since they neither disabled TLS 1.3 nor enabled any of the
|
||||
ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
|
||||
Closes ticket 24978.
|
||||
|
||||
o Minor features (fallback directory mirrors, backport from 0.3.2.9):
|
||||
- The fallback directory list has been re-generated based on the
|
||||
current status of the network. Tor uses fallback directories to
|
||||
bootstrap when it doesn't yet have up-to-date directory
|
||||
information. Closes ticket 24801.
|
||||
- Make the default DirAuthorityFallbackRate 0.1, so that clients
|
||||
prefer to bootstrap from fallback directory mirrors. This is a
|
||||
follow-up to 24679, which removed weights from the default
|
||||
fallbacks. Implements ticket 24681.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor bugfix (channel connection, backport from 0.3.3.2-alpha):
|
||||
- Use the actual observed address of an incoming relay connection,
|
||||
not the canonical address of the relay from its descriptor, when
|
||||
making decisions about how to handle the incoming connection.
|
||||
Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
|
||||
|
||||
o Minor bugfix (directory authority, backport from 0.3.3.2-alpha):
|
||||
- Directory authorities, when refusing a descriptor from a rejected
|
||||
relay, now explicitly tell the relay (in its logs) to set a valid
|
||||
ContactInfo address and contact the bad-relays@ mailing list.
|
||||
Fixes bug 25170; bugfix on 0.2.9.1.
|
||||
|
||||
o Minor bugfixes (address selection, backport from 0.3.2.9):
|
||||
- When the fascist_firewall_choose_address_ functions don't find a
|
||||
reachable address, set the returned address to the null address
|
||||
and port. This is a precautionary measure, because some callers do
|
||||
not check the return value. Fixes bug 24736; bugfix
|
||||
on 0.2.8.2-alpha.
|
||||
|
||||
o Major bugfixes (bootstrapping, backport from 0.3.2.5-alpha):
|
||||
- Fetch descriptors aggressively whenever we lack enough to build
|
||||
circuits, regardless of how many descriptors we are missing.
|
||||
Previously, we would delay launching the fetch when we had fewer
|
||||
than 15 missing descriptors, even if some of those descriptors
|
||||
were blocking circuits from building. Fixes bug 23985; bugfix on
|
||||
0.1.1.11-alpha. The effects of this bug became worse in
|
||||
0.3.0.3-alpha, when we began treating missing descriptors from our
|
||||
primary guards as a reason to delay circuits.
|
||||
- Don't try fetching microdescriptors from relays that have failed
|
||||
to deliver them in the past. Fixes bug 23817; bugfix
|
||||
on 0.3.0.1-alpha.
|
||||
|
||||
o Minor bugfixes (compilation, backport from 0.3.2.7-rc):
|
||||
- Fix a signed/unsigned comparison warning introduced by our fix to
|
||||
TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
|
||||
|
||||
o Minor bugfixes (control port, linux seccomp2 sandbox, backport from 0.3.2.5-alpha):
|
||||
- Avoid a crash when attempting to use the seccomp2 sandbox together
|
||||
with the OwningControllerProcess feature. Fixes bug 24198; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
|
||||
- Fix a possible crash on malformed consensus. If a consensus had
|
||||
contained an unparseable protocol line, it could have made clients
|
||||
and relays crash with a null-pointer exception. To exploit this
|
||||
issue, however, an attacker would need to be able to subvert the
|
||||
directory authority system. Fixes bug 25251; bugfix on
|
||||
0.2.9.4-alpha. Also tracked as TROVE-2018-004.
|
||||
|
||||
o Minor bugfixes (directory cache, backport from 0.3.2.5-alpha):
|
||||
- Recover better from empty or corrupt files in the consensus cache
|
||||
directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
|
||||
- When a consensus diff calculation is only partially successful,
|
||||
only record the successful parts as having succeeded. Partial
|
||||
success can happen if (for example) one compression method fails
|
||||
but the others succeed. Previously we misrecorded all the
|
||||
calculations as having succeeded, which would later cause a
|
||||
nonfatal assertion failure. Fixes bug 24086; bugfix
|
||||
on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (entry guards, backport from 0.3.2.3-alpha):
|
||||
- Tor now updates its guard state when it reads a consensus
|
||||
regardless of whether it's missing descriptors. That makes tor use
|
||||
its primary guards to fetch descriptors in some edge cases where
|
||||
it would previously have used fallback directories. Fixes bug
|
||||
23862; bugfix on 0.3.0.1-alpha.
|
||||
|
||||
o Minor bugfixes (logging, backport from 0.3.3.2-alpha):
|
||||
- Don't treat inability to store a cached consensus object as a bug:
|
||||
it can happen normally when we are out of disk space. Fixes bug
|
||||
24859; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (memory usage, backport from 0.3.2.8-rc):
|
||||
- When queuing DESTROY cells on a channel, only queue the circuit-id
|
||||
and reason fields: not the entire 514-byte cell. This fix should
|
||||
help mitigate any bugs or attacks that fill up these queues, and
|
||||
free more RAM for other uses. Fixes bug 24666; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (network layer, backport from 0.3.2.5-alpha):
|
||||
- When closing a connection via close_connection_immediately(), we
|
||||
mark it as "not blocked on bandwidth", to prevent later calls from
|
||||
trying to unblock it, and give it permission to read. This fixes a
|
||||
backtrace warning that can happen on relays under various
|
||||
circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
|
||||
|
||||
o Minor bugfixes (path selection, backport from 0.3.2.4-alpha):
|
||||
- When selecting relays by bandwidth, avoid a rounding error that
|
||||
could sometimes cause load to be imbalanced incorrectly.
|
||||
Previously, we would always round upwards; now, we round towards
|
||||
the nearest integer. This had the biggest effect when a relay's
|
||||
weight adjustments should have given it weight 0, but it got
|
||||
weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
|
||||
- When calculating the fraction of nodes that have descriptors, and
|
||||
all nodes in the network have zero bandwidths, count the number of
|
||||
nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
|
||||
- Actually log the total bandwidth in compute_weighted_bandwidths().
|
||||
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
|
||||
|
||||
o Minor bugfixes (performance, fragile-hardening, backport from 0.3.3.1-alpha):
|
||||
- Improve the performance of our consensus-diff application code
|
||||
when Tor is built with the --enable-fragile-hardening option set.
|
||||
Fixes bug 24826; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (OSX, backport from 0.3.3.1-alpha):
|
||||
- Don't exit the Tor process if setrlimit() fails to change the file
|
||||
limit (which can happen sometimes on some versions of OSX). Fixes
|
||||
bug 21074; bugfix on 0.0.9pre5.
|
||||
|
||||
o Minor bugfixes (portability, msvc, backport from 0.3.2.9):
|
||||
- Fix a bug in the bit-counting parts of our timing-wheel code on
|
||||
MSVC. (Note that MSVC is still not a supported build platform, due
|
||||
to cyptographic timing channel risks.) Fixes bug 24633; bugfix
|
||||
on 0.2.9.1-alpha.
|
||||
|
||||
o Minor bugfixes (relay, partial backport):
|
||||
- Make the internal channel_is_client() function look at what sort
|
||||
of connection handshake the other side used, rather than whether
|
||||
the other side ever sent a create_fast cell to us. Backports part
|
||||
of the fixes from bugs 22805 and 24898.
|
||||
|
||||
o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
|
||||
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
||||
0.2.9.4-alpha.
|
||||
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
||||
bugfix on 0.2.9.4-alpha.
|
||||
|
||||
o Code simplification and refactoring (backport from 0.3.3.3-alpha):
|
||||
- Update the "rust dependencies" submodule to be a project-level
|
||||
repository, rather than a user repository. Closes ticket 25323.
|
||||
|
||||
|
||||
Changes in version 0.2.9.15 - 2018-03-03
|
||||
Tor 0.2.9.15 backports important security and stability bugfixes from
|
||||
later Tor releases.
|
||||
|
||||
It includes an important security fix for a remote crash attack
|
||||
against directory authorities, tracked as TROVE-2018-001.
|
||||
|
||||
This release also backports our new system for improved resistance to
|
||||
denial-of-service attacks against relays.
|
||||
|
||||
This release also fixes several minor bugs and annoyances from
|
||||
earlier releases.
|
||||
|
||||
All directory authorities should upgrade to one of the versions
|
||||
released today. Relays running 0.2.9.x may wish to update to one of
|
||||
the versions released today, for the DoS mitigations.
|
||||
|
||||
o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
|
||||
- Fix a protocol-list handling bug that could be used to remotely crash
|
||||
directory authorities with a null-pointer exception. Fixes bug 25074;
|
||||
bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
|
||||
CVE-2018-0490.
|
||||
|
||||
o Major features (denial-of-service mitigation):
|
||||
- Give relays some defenses against the recent network overload. We
|
||||
start with three defenses (default parameters in parentheses).
|
||||
First: if a single client address makes too many concurrent
|
||||
connections (>100), hang up on further connections. Second: if a
|
||||
single client address makes circuits too quickly (more than 3 per
|
||||
second, with an allowed burst of 90) while also having too many
|
||||
connections open (3), refuse new create cells for the next while
|
||||
(1-2 hours). Third: if a client asks to establish a rendezvous
|
||||
point to you directly, ignore the request. These defenses can be
|
||||
manually controlled by new torrc options, but relays will also
|
||||
take guidance from consensus parameters, so there's no need to
|
||||
configure anything manually. Implements ticket 24902.
|
||||
|
||||
o Major bugfixes (bootstrapping):
|
||||
- Fetch descriptors aggressively whenever we lack enough to build
|
||||
circuits, regardless of how many descriptors we are missing.
|
||||
Previously, we would delay launching the fetch when we had fewer
|
||||
than 15 missing descriptors, even if some of those descriptors
|
||||
were blocking circuits from building. Fixes bug 23985; bugfix on
|
||||
0.1.1.11-alpha. The effects of this bug became worse in
|
||||
0.3.0.3-alpha, when we began treating missing descriptors from our
|
||||
primary guards as a reason to delay circuits.
|
||||
|
||||
o Major bugfixes (onion services, retry behavior):
|
||||
- Fix an "off by 2" error in counting rendezvous failures on the
|
||||
onion service side. While we thought we would stop the rendezvous
|
||||
attempt after one failed circuit, we were actually making three
|
||||
circuit attempts before giving up. Now switch to a default of 2,
|
||||
and allow the consensus parameter "hs_service_max_rdv_failures" to
|
||||
override. Fixes bug 24895; bugfix on 0.0.6.
|
||||
|
||||
o Minor feature (relay statistics):
|
||||
- Change relay bandwidth reporting stats interval from 4 hours to 24
|
||||
hours in order to reduce the efficiency of guard discovery
|
||||
attacks. Fixes ticket 23856.
|
||||
|
||||
o Minor features (compatibility, OpenSSL):
|
||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||
Previous versions of Tor would not have worked with OpenSSL 1.1.1,
|
||||
since they neither disabled TLS 1.3 nor enabled any of the
|
||||
ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
|
||||
Closes ticket 24978.
|
||||
|
||||
o Minor features (denial-of-service avoidance):
|
||||
- Make our OOM handler aware of the geoip client history cache so it
|
||||
doesn't fill up the memory. This check is important for IPv6 and
|
||||
our DoS mitigation subsystem. Closes ticket 25122.
|
||||
|
||||
o Minor features (fallback directory mirrors):
|
||||
- The fallback directory list has been re-generated based on the
|
||||
current status of the network. Tor uses fallback directories to
|
||||
bootstrap when it doesn't yet have up-to-date directory
|
||||
information. Closes ticket 24801.
|
||||
- Make the default DirAuthorityFallbackRate 0.1, so that clients
|
||||
prefer to bootstrap from fallback directory mirrors. This is a
|
||||
follow-up to 24679, which removed weights from the default
|
||||
fallbacks. Implements ticket 24681.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor features (linux seccomp2 sandbox):
|
||||
- Update the sandbox rules so that they should now work correctly
|
||||
with Glibc 2.26. Closes ticket 24315.
|
||||
|
||||
o Minor bugfix (channel connection):
|
||||
- Use the actual observed address of an incoming relay connection,
|
||||
not the canonical address of the relay from its descriptor, when
|
||||
making decisions about how to handle the incoming connection.
|
||||
Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
|
||||
|
||||
o Minor bugfix (directory authority):
|
||||
- Directory authorities, when refusing a descriptor from a rejected
|
||||
relay, now explicitly tell the relay (in its logs) to set a valid
|
||||
ContactInfo address and contact the bad-relays@ mailing list.
|
||||
Fixes bug 25170; bugfix on 0.2.9.1.
|
||||
|
||||
o Minor bugfixes (address selection):
|
||||
- When the fascist_firewall_choose_address_ functions don't find a
|
||||
reachable address, set the returned address to the null address
|
||||
and port. This is a precautionary measure, because some callers do
|
||||
not check the return value. Fixes bug 24736; bugfix
|
||||
on 0.2.8.2-alpha.
|
||||
|
||||
o Minor bugfixes (compilation):
|
||||
- Fix a signed/unsigned comparison warning introduced by our fix to
|
||||
TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
|
||||
|
||||
o Minor bugfixes (control port, linux seccomp2 sandbox):
|
||||
- Avoid a crash when attempting to use the seccomp2 sandbox together
|
||||
with the OwningControllerProcess feature. Fixes bug 24198; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
|
||||
- Fix a possible crash on malformed consensus. If a consensus had
|
||||
contained an unparseable protocol line, it could have made clients
|
||||
and relays crash with a null-pointer exception. To exploit this
|
||||
issue, however, an attacker would need to be able to subvert the
|
||||
directory authority system. Fixes bug 25251; bugfix on
|
||||
0.2.9.4-alpha. Also tracked as TROVE-2018-004.
|
||||
|
||||
o Minor bugfixes (memory usage):
|
||||
- When queuing DESTROY cells on a channel, only queue the circuit-id
|
||||
and reason fields: not the entire 514-byte cell. This fix should
|
||||
help mitigate any bugs or attacks that fill up these queues, and
|
||||
free more RAM for other uses. Fixes bug 24666; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (network layer):
|
||||
- When closing a connection via close_connection_immediately(), we
|
||||
mark it as "not blocked on bandwidth", to prevent later calls from
|
||||
trying to unblock it, and give it permission to read. This fixes a
|
||||
backtrace warning that can happen on relays under various
|
||||
circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
|
||||
|
||||
o Minor bugfixes (OSX):
|
||||
- Don't exit the Tor process if setrlimit() fails to change the file
|
||||
limit (which can happen sometimes on some versions of OSX). Fixes
|
||||
bug 21074; bugfix on 0.0.9pre5.
|
||||
|
||||
o Minor bugfixes (path selection):
|
||||
- When selecting relays by bandwidth, avoid a rounding error that
|
||||
could sometimes cause load to be imbalanced incorrectly.
|
||||
Previously, we would always round upwards; now, we round towards
|
||||
the nearest integer. This had the biggest effect when a relay's
|
||||
weight adjustments should have given it weight 0, but it got
|
||||
weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
|
||||
- When calculating the fraction of nodes that have descriptors, and
|
||||
all nodes in the network have zero bandwidths, count the number of
|
||||
nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
|
||||
- Actually log the total bandwidth in compute_weighted_bandwidths().
|
||||
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
|
||||
|
||||
o Minor bugfixes (portability, msvc):
|
||||
- Fix a bug in the bit-counting parts of our timing-wheel code on
|
||||
MSVC. (Note that MSVC is still not a supported build platform, due
|
||||
to cryptographic timing channel risks.) Fixes bug 24633; bugfix
|
||||
on 0.2.9.1-alpha.
|
||||
|
||||
o Minor bugfixes (relay):
|
||||
- Make the internal channel_is_client() function look at what sort
|
||||
of connection handshake the other side used, rather than whether
|
||||
the other side ever sent a create_fast cell to us. Backports part
|
||||
of the fixes from bugs 22805 and 24898.
|
||||
|
||||
o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
|
||||
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
||||
0.2.9.4-alpha.
|
||||
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
||||
bugfix on 0.2.9.4-alpha.
|
||||
|
||||
|
||||
Changes in version 0.3.3.2-alpha - 2018-02-10
|
||||
Tor 0.3.3.2-alpha is the second alpha in the 0.3.3.x series. It
|
||||
introduces a mechanism to handle the high loads that many relay
|
||||
|
580
ReleaseNotes
580
ReleaseNotes
@ -2,6 +2,586 @@ This document summarizes new features and bugfixes in each stable release
|
||||
of Tor. If you want to see more detailed descriptions of the changes in
|
||||
each development snapshot, see the ChangeLog file.
|
||||
|
||||
Changes in version 0.3.2.10 - 2018-03-03
|
||||
Tor 0.3.2.10 is the second stable release in the 0.3.2 series. It
|
||||
backports a number of bugfixes, including important fixes for security
|
||||
issues.
|
||||
|
||||
It includes an important security fix for a remote crash attack
|
||||
against directory authorities, tracked as TROVE-2018-001.
|
||||
|
||||
Additionally, it backports a fix for a bug whose severity we have
|
||||
upgraded: Bug 24700, which was fixed in 0.3.3.2-alpha, can be remotely
|
||||
triggered in order to crash relays with a use-after-free pattern. As
|
||||
such, we are now tracking that bug as TROVE-2018-002 and
|
||||
CVE-2018-0491, and backporting it to earlier releases. This bug
|
||||
affected versions 0.3.2.1-alpha through 0.3.2.9, as well as version
|
||||
0.3.3.1-alpha.
|
||||
|
||||
This release also backports our new system for improved resistance to
|
||||
denial-of-service attacks against relays.
|
||||
|
||||
This release also fixes several minor bugs and annoyances from
|
||||
earlier releases.
|
||||
|
||||
Relays running 0.3.2.x SHOULD upgrade to one of the versions released
|
||||
today, for the fix to TROVE-2018-002. Directory authorities should
|
||||
also upgrade. (Relays on earlier versions might want to update too for
|
||||
the DoS mitigations.)
|
||||
|
||||
o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
|
||||
- Fix a protocol-list handling bug that could be used to remotely crash
|
||||
directory authorities with a null-pointer exception. Fixes bug 25074;
|
||||
bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
|
||||
CVE-2018-0490.
|
||||
|
||||
o Major bugfixes (scheduler, KIST, denial-of-service, backport from 0.3.3.2-alpha):
|
||||
- Avoid adding the same channel twice in the KIST scheduler pending
|
||||
list, which could lead to remote denial-of-service use-after-free
|
||||
attacks against relays. Fixes bug 24700; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha):
|
||||
- Give relays some defenses against the recent network overload. We
|
||||
start with three defenses (default parameters in parentheses).
|
||||
First: if a single client address makes too many concurrent
|
||||
connections (>100), hang up on further connections. Second: if a
|
||||
single client address makes circuits too quickly (more than 3 per
|
||||
second, with an allowed burst of 90) while also having too many
|
||||
connections open (3), refuse new create cells for the next while
|
||||
(1-2 hours). Third: if a client asks to establish a rendezvous
|
||||
point to you directly, ignore the request. These defenses can be
|
||||
manually controlled by new torrc options, but relays will also
|
||||
take guidance from consensus parameters, so there's no need to
|
||||
configure anything manually. Implements ticket 24902.
|
||||
|
||||
o Major bugfixes (onion services, retry behavior, backport from 0.3.3.1-alpha):
|
||||
- Fix an "off by 2" error in counting rendezvous failures on the
|
||||
onion service side. While we thought we would stop the rendezvous
|
||||
attempt after one failed circuit, we were actually making three
|
||||
circuit attempts before giving up. Now switch to a default of 2,
|
||||
and allow the consensus parameter "hs_service_max_rdv_failures" to
|
||||
override. Fixes bug 24895; bugfix on 0.0.6.
|
||||
- New-style (v3) onion services now obey the "max rendezvous circuit
|
||||
attempts" logic. Previously they would make as many rendezvous
|
||||
circuit attempts as they could fit in the MAX_REND_TIMEOUT second
|
||||
window before giving up. Fixes bug 24894; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Major bugfixes (protocol versions, backport from 0.3.3.2-alpha):
|
||||
- Add Link protocol version 5 to the supported protocols list. Fixes
|
||||
bug 25070; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Major bugfixes (relay, backport from 0.3.3.1-alpha):
|
||||
- Fix a set of false positives where relays would consider
|
||||
connections to other relays as being client-only connections (and
|
||||
thus e.g. deserving different link padding schemes) if those
|
||||
relays fell out of the consensus briefly. Now we look only at the
|
||||
initial handshake and whether the connection authenticated as a
|
||||
relay. Fixes bug 24898; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Major bugfixes (scheduler, consensus, backport from 0.3.3.2-alpha):
|
||||
- The scheduler subsystem was failing to promptly notice changes in
|
||||
consensus parameters, making it harder to switch schedulers
|
||||
network-wide. Fixes bug 24975; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor features (denial-of-service avoidance, backport from 0.3.3.2-alpha):
|
||||
- Make our OOM handler aware of the geoip client history cache so it
|
||||
doesn't fill up the memory. This check is important for IPv6 and
|
||||
our DoS mitigation subsystem. Closes ticket 25122.
|
||||
|
||||
o Minor features (compatibility, OpenSSL, backport from 0.3.3.3-alpha):
|
||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||
Previous versions of Tor would not have worked with OpenSSL 1.1.1,
|
||||
since they neither disabled TLS 1.3 nor enabled any of the
|
||||
ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
|
||||
Closes ticket 24978.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor features (logging, diagnostic, backport from 0.3.3.2-alpha):
|
||||
- When logging a failure to check a hidden service's certificate,
|
||||
also log what the problem with the certificate was. Diagnostic
|
||||
for ticket 24972.
|
||||
|
||||
o Minor bugfix (channel connection, backport from 0.3.3.2-alpha):
|
||||
- Use the actual observed address of an incoming relay connection,
|
||||
not the canonical address of the relay from its descriptor, when
|
||||
making decisions about how to handle the incoming connection.
|
||||
Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
|
||||
|
||||
o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
|
||||
- Fix a possible crash on malformed consensus. If a consensus had
|
||||
contained an unparseable protocol line, it could have made clients
|
||||
and relays crash with a null-pointer exception. To exploit this
|
||||
issue, however, an attacker would need to be able to subvert the
|
||||
directory authority system. Fixes bug 25251; bugfix on
|
||||
0.2.9.4-alpha. Also tracked as TROVE-2018-004.
|
||||
|
||||
o Minor bugfix (directory authority, backport from 0.3.3.2-alpha):
|
||||
- Directory authorities, when refusing a descriptor from a rejected
|
||||
relay, now explicitly tell the relay (in its logs) to set a valid
|
||||
ContactInfo address and contact the bad-relays@ mailing list.
|
||||
Fixes bug 25170; bugfix on 0.2.9.1.
|
||||
|
||||
o Minor bugfixes (build, rust, backport from 0.3.3.1-alpha):
|
||||
- When building with Rust on OSX, link against libresolv, to work
|
||||
around the issue at https://github.com/rust-lang/rust/issues/46797.
|
||||
Fixes bug 24652; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (onion services, backport from 0.3.3.2-alpha):
|
||||
- Remove a BUG() statement when a client fetches an onion descriptor
|
||||
that has a lower revision counter than the one in its cache. This
|
||||
can happen in normal circumstances due to HSDir desync. Fixes bug
|
||||
24976; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (logging, backport from 0.3.3.2-alpha):
|
||||
- Don't treat inability to store a cached consensus object as a bug:
|
||||
it can happen normally when we are out of disk space. Fixes bug
|
||||
24859; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (performance, fragile-hardening, backport from 0.3.3.1-alpha):
|
||||
- Improve the performance of our consensus-diff application code
|
||||
when Tor is built with the --enable-fragile-hardening option set.
|
||||
Fixes bug 24826; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (OSX, backport from 0.3.3.1-alpha):
|
||||
- Don't exit the Tor process if setrlimit() fails to change the file
|
||||
limit (which can happen sometimes on some versions of OSX). Fixes
|
||||
bug 21074; bugfix on 0.0.9pre5.
|
||||
|
||||
o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
|
||||
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
||||
0.2.9.4-alpha.
|
||||
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
||||
bugfix on 0.2.9.4-alpha.
|
||||
|
||||
o Minor bugfixes (testing, backport from 0.3.3.1-alpha):
|
||||
- Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug
|
||||
25005; bugfix on 0.3.2.7-rc.
|
||||
|
||||
o Minor bugfixes (v3 onion services, backport from 0.3.3.2-alpha):
|
||||
- Look at the "HSRend" protocol version, not the "HSDir" protocol
|
||||
version, when deciding whether a consensus entry can support the
|
||||
v3 onion service protocol as a rendezvous point. Fixes bug 25105;
|
||||
bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Code simplification and refactoring (backport from 0.3.3.3-alpha):
|
||||
- Update the "rust dependencies" submodule to be a project-level
|
||||
repository, rather than a user repository. Closes ticket 25323.
|
||||
|
||||
o Documentation (backport from 0.3.3.1-alpha)
|
||||
- Document that operators who run more than one relay or bridge are
|
||||
expected to set MyFamily and ContactInfo correctly. Closes
|
||||
ticket 24526.
|
||||
|
||||
|
||||
Changes in version 0.3.1.10 - 2018-03-03
|
||||
Tor 0.3.1.10 backports a number of bugfixes, including important fixes for
|
||||
security issues.
|
||||
|
||||
It includes an important security fix for a remote crash attack
|
||||
against directory authorities, tracked as TROVE-2018-001.
|
||||
|
||||
This release also backports our new system for improved resistance to
|
||||
denial-of-service attacks against relays.
|
||||
|
||||
This release also fixes several minor bugs and annoyances from
|
||||
earlier releases.
|
||||
|
||||
All directory authorities should upgrade to one of the versions
|
||||
released today. Relays running 0.3.1.x may wish to update to one of
|
||||
the versions released today, for the DoS mitigations.
|
||||
|
||||
Please note: according to our release calendar, Tor 0.3.1 will no
|
||||
longer be supported after 1 July 2018. If you will be running Tor
|
||||
after that date, you should make sure to plan to upgrade to the latest
|
||||
stable version, or downgrade to 0.2.9 (which will receive long-term
|
||||
support).
|
||||
|
||||
o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
|
||||
- Fix a protocol-list handling bug that could be used to remotely crash
|
||||
directory authorities with a null-pointer exception. Fixes bug 25074;
|
||||
bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
|
||||
CVE-2018-0490.
|
||||
|
||||
o Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha):
|
||||
- Give relays some defenses against the recent network overload. We
|
||||
start with three defenses (default parameters in parentheses).
|
||||
First: if a single client address makes too many concurrent
|
||||
connections (>100), hang up on further connections. Second: if a
|
||||
single client address makes circuits too quickly (more than 3 per
|
||||
second, with an allowed burst of 90) while also having too many
|
||||
connections open (3), refuse new create cells for the next while
|
||||
(1-2 hours). Third: if a client asks to establish a rendezvous
|
||||
point to you directly, ignore the request. These defenses can be
|
||||
manually controlled by new torrc options, but relays will also
|
||||
take guidance from consensus parameters, so there's no need to
|
||||
configure anything manually. Implements ticket 24902.
|
||||
|
||||
o Minor features (linux seccomp2 sandbox, backport from 0.3.2.5-alpha):
|
||||
- Update the sandbox rules so that they should now work correctly
|
||||
with Glibc 2.26. Closes ticket 24315.
|
||||
|
||||
o Major bugfixes (onion services, retry behavior, backport from 0.3.3.1-alpha):
|
||||
- Fix an "off by 2" error in counting rendezvous failures on the
|
||||
onion service side. While we thought we would stop the rendezvous
|
||||
attempt after one failed circuit, we were actually making three
|
||||
circuit attempts before giving up. Now switch to a default of 2,
|
||||
and allow the consensus parameter "hs_service_max_rdv_failures" to
|
||||
override. Fixes bug 24895; bugfix on 0.0.6.
|
||||
|
||||
o Major bugfixes (protocol versions, backport from 0.3.3.2-alpha):
|
||||
- Add Link protocol version 5 to the supported protocols list. Fixes
|
||||
bug 25070; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Major bugfixes (relay, backport from 0.3.3.1-alpha):
|
||||
- Fix a set of false positives where relays would consider
|
||||
connections to other relays as being client-only connections (and
|
||||
thus e.g. deserving different link padding schemes) if those
|
||||
relays fell out of the consensus briefly. Now we look only at the
|
||||
initial handshake and whether the connection authenticated as a
|
||||
relay. Fixes bug 24898; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor features (denial-of-service avoidance, backport from 0.3.3.2-alpha):
|
||||
- Make our OOM handler aware of the geoip client history cache so it
|
||||
doesn't fill up the memory. This check is important for IPv6 and
|
||||
our DoS mitigation subsystem. Closes ticket 25122.
|
||||
|
||||
o Minor feature (relay statistics, backport from 0.3.2.6-alpha):
|
||||
- Change relay bandwidth reporting stats interval from 4 hours to 24
|
||||
hours in order to reduce the efficiency of guard discovery
|
||||
attacks. Fixes ticket 23856.
|
||||
|
||||
o Minor features (compatibility, OpenSSL, backport from 0.3.3.3-alpha):
|
||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||
Previous versions of Tor would not have worked with OpenSSL 1.1.1,
|
||||
since they neither disabled TLS 1.3 nor enabled any of the
|
||||
ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
|
||||
Closes ticket 24978.
|
||||
|
||||
o Minor features (fallback directory mirrors, backport from 0.3.2.9):
|
||||
- The fallback directory list has been re-generated based on the
|
||||
current status of the network. Tor uses fallback directories to
|
||||
bootstrap when it doesn't yet have up-to-date directory
|
||||
information. Closes ticket 24801.
|
||||
- Make the default DirAuthorityFallbackRate 0.1, so that clients
|
||||
prefer to bootstrap from fallback directory mirrors. This is a
|
||||
follow-up to 24679, which removed weights from the default
|
||||
fallbacks. Implements ticket 24681.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor bugfix (channel connection, backport from 0.3.3.2-alpha):
|
||||
- Use the actual observed address of an incoming relay connection,
|
||||
not the canonical address of the relay from its descriptor, when
|
||||
making decisions about how to handle the incoming connection.
|
||||
Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
|
||||
|
||||
o Minor bugfix (directory authority, backport from 0.3.3.2-alpha):
|
||||
- Directory authorities, when refusing a descriptor from a rejected
|
||||
relay, now explicitly tell the relay (in its logs) to set a valid
|
||||
ContactInfo address and contact the bad-relays@ mailing list.
|
||||
Fixes bug 25170; bugfix on 0.2.9.1.
|
||||
|
||||
o Minor bugfixes (address selection, backport from 0.3.2.9):
|
||||
- When the fascist_firewall_choose_address_ functions don't find a
|
||||
reachable address, set the returned address to the null address
|
||||
and port. This is a precautionary measure, because some callers do
|
||||
not check the return value. Fixes bug 24736; bugfix
|
||||
on 0.2.8.2-alpha.
|
||||
|
||||
o Major bugfixes (bootstrapping, backport from 0.3.2.5-alpha):
|
||||
- Fetch descriptors aggressively whenever we lack enough to build
|
||||
circuits, regardless of how many descriptors we are missing.
|
||||
Previously, we would delay launching the fetch when we had fewer
|
||||
than 15 missing descriptors, even if some of those descriptors
|
||||
were blocking circuits from building. Fixes bug 23985; bugfix on
|
||||
0.1.1.11-alpha. The effects of this bug became worse in
|
||||
0.3.0.3-alpha, when we began treating missing descriptors from our
|
||||
primary guards as a reason to delay circuits.
|
||||
- Don't try fetching microdescriptors from relays that have failed
|
||||
to deliver them in the past. Fixes bug 23817; bugfix
|
||||
on 0.3.0.1-alpha.
|
||||
|
||||
o Minor bugfixes (compilation, backport from 0.3.2.7-rc):
|
||||
- Fix a signed/unsigned comparison warning introduced by our fix to
|
||||
TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
|
||||
|
||||
o Minor bugfixes (control port, linux seccomp2 sandbox, backport from 0.3.2.5-alpha):
|
||||
- Avoid a crash when attempting to use the seccomp2 sandbox together
|
||||
with the OwningControllerProcess feature. Fixes bug 24198; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
|
||||
- Fix a possible crash on malformed consensus. If a consensus had
|
||||
contained an unparseable protocol line, it could have made clients
|
||||
and relays crash with a null-pointer exception. To exploit this
|
||||
issue, however, an attacker would need to be able to subvert the
|
||||
directory authority system. Fixes bug 25251; bugfix on
|
||||
0.2.9.4-alpha. Also tracked as TROVE-2018-004.
|
||||
|
||||
o Minor bugfixes (directory cache, backport from 0.3.2.5-alpha):
|
||||
- Recover better from empty or corrupt files in the consensus cache
|
||||
directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
|
||||
- When a consensus diff calculation is only partially successful,
|
||||
only record the successful parts as having succeeded. Partial
|
||||
success can happen if (for example) one compression method fails
|
||||
but the others succeed. Previously we misrecorded all the
|
||||
calculations as having succeeded, which would later cause a
|
||||
nonfatal assertion failure. Fixes bug 24086; bugfix
|
||||
on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (entry guards, backport from 0.3.2.3-alpha):
|
||||
- Tor now updates its guard state when it reads a consensus
|
||||
regardless of whether it's missing descriptors. That makes tor use
|
||||
its primary guards to fetch descriptors in some edge cases where
|
||||
it would previously have used fallback directories. Fixes bug
|
||||
23862; bugfix on 0.3.0.1-alpha.
|
||||
|
||||
o Minor bugfixes (logging, backport from 0.3.3.2-alpha):
|
||||
- Don't treat inability to store a cached consensus object as a bug:
|
||||
it can happen normally when we are out of disk space. Fixes bug
|
||||
24859; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (memory usage, backport from 0.3.2.8-rc):
|
||||
- When queuing DESTROY cells on a channel, only queue the circuit-id
|
||||
and reason fields: not the entire 514-byte cell. This fix should
|
||||
help mitigate any bugs or attacks that fill up these queues, and
|
||||
free more RAM for other uses. Fixes bug 24666; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (network layer, backport from 0.3.2.5-alpha):
|
||||
- When closing a connection via close_connection_immediately(), we
|
||||
mark it as "not blocked on bandwidth", to prevent later calls from
|
||||
trying to unblock it, and give it permission to read. This fixes a
|
||||
backtrace warning that can happen on relays under various
|
||||
circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
|
||||
|
||||
o Minor bugfixes (path selection, backport from 0.3.2.4-alpha):
|
||||
- When selecting relays by bandwidth, avoid a rounding error that
|
||||
could sometimes cause load to be imbalanced incorrectly.
|
||||
Previously, we would always round upwards; now, we round towards
|
||||
the nearest integer. This had the biggest effect when a relay's
|
||||
weight adjustments should have given it weight 0, but it got
|
||||
weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
|
||||
- When calculating the fraction of nodes that have descriptors, and
|
||||
all nodes in the network have zero bandwidths, count the number of
|
||||
nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
|
||||
- Actually log the total bandwidth in compute_weighted_bandwidths().
|
||||
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
|
||||
|
||||
o Minor bugfixes (performance, fragile-hardening, backport from 0.3.3.1-alpha):
|
||||
- Improve the performance of our consensus-diff application code
|
||||
when Tor is built with the --enable-fragile-hardening option set.
|
||||
Fixes bug 24826; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (OSX, backport from 0.3.3.1-alpha):
|
||||
- Don't exit the Tor process if setrlimit() fails to change the file
|
||||
limit (which can happen sometimes on some versions of OSX). Fixes
|
||||
bug 21074; bugfix on 0.0.9pre5.
|
||||
|
||||
o Minor bugfixes (portability, msvc, backport from 0.3.2.9):
|
||||
- Fix a bug in the bit-counting parts of our timing-wheel code on
|
||||
MSVC. (Note that MSVC is still not a supported build platform, due
|
||||
to cyptographic timing channel risks.) Fixes bug 24633; bugfix
|
||||
on 0.2.9.1-alpha.
|
||||
|
||||
o Minor bugfixes (relay, partial backport):
|
||||
- Make the internal channel_is_client() function look at what sort
|
||||
of connection handshake the other side used, rather than whether
|
||||
the other side ever sent a create_fast cell to us. Backports part
|
||||
of the fixes from bugs 22805 and 24898.
|
||||
|
||||
o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
|
||||
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
||||
0.2.9.4-alpha.
|
||||
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
||||
bugfix on 0.2.9.4-alpha.
|
||||
|
||||
o Code simplification and refactoring (backport from 0.3.3.3-alpha):
|
||||
- Update the "rust dependencies" submodule to be a project-level
|
||||
repository, rather than a user repository. Closes ticket 25323.
|
||||
|
||||
Changes in version 0.2.9.15 - 2018-03-03
|
||||
Tor 0.2.9.15 backports important security and stability bugfixes from
|
||||
later Tor releases.
|
||||
|
||||
It includes an important security fix for a remote crash attack
|
||||
against directory authorities, tracked as TROVE-2018-001.
|
||||
|
||||
This release also backports our new system for improved resistance to
|
||||
denial-of-service attacks against relays.
|
||||
|
||||
This release also fixes several minor bugs and annoyances from
|
||||
earlier releases.
|
||||
|
||||
All directory authorities should upgrade to one of the versions
|
||||
released today. Relays running 0.2.9.x may wish to update to one of
|
||||
the versions released today, for the DoS mitigations.
|
||||
|
||||
o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
|
||||
- Fix a protocol-list handling bug that could be used to remotely crash
|
||||
directory authorities with a null-pointer exception. Fixes bug 25074;
|
||||
bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
|
||||
CVE-2018-0490.
|
||||
|
||||
o Major features (denial-of-service mitigation):
|
||||
- Give relays some defenses against the recent network overload. We
|
||||
start with three defenses (default parameters in parentheses).
|
||||
First: if a single client address makes too many concurrent
|
||||
connections (>100), hang up on further connections. Second: if a
|
||||
single client address makes circuits too quickly (more than 3 per
|
||||
second, with an allowed burst of 90) while also having too many
|
||||
connections open (3), refuse new create cells for the next while
|
||||
(1-2 hours). Third: if a client asks to establish a rendezvous
|
||||
point to you directly, ignore the request. These defenses can be
|
||||
manually controlled by new torrc options, but relays will also
|
||||
take guidance from consensus parameters, so there's no need to
|
||||
configure anything manually. Implements ticket 24902.
|
||||
|
||||
o Major bugfixes (bootstrapping):
|
||||
- Fetch descriptors aggressively whenever we lack enough to build
|
||||
circuits, regardless of how many descriptors we are missing.
|
||||
Previously, we would delay launching the fetch when we had fewer
|
||||
than 15 missing descriptors, even if some of those descriptors
|
||||
were blocking circuits from building. Fixes bug 23985; bugfix on
|
||||
0.1.1.11-alpha. The effects of this bug became worse in
|
||||
0.3.0.3-alpha, when we began treating missing descriptors from our
|
||||
primary guards as a reason to delay circuits.
|
||||
|
||||
o Major bugfixes (onion services, retry behavior):
|
||||
- Fix an "off by 2" error in counting rendezvous failures on the
|
||||
onion service side. While we thought we would stop the rendezvous
|
||||
attempt after one failed circuit, we were actually making three
|
||||
circuit attempts before giving up. Now switch to a default of 2,
|
||||
and allow the consensus parameter "hs_service_max_rdv_failures" to
|
||||
override. Fixes bug 24895; bugfix on 0.0.6.
|
||||
|
||||
o Minor feature (relay statistics):
|
||||
- Change relay bandwidth reporting stats interval from 4 hours to 24
|
||||
hours in order to reduce the efficiency of guard discovery
|
||||
attacks. Fixes ticket 23856.
|
||||
|
||||
o Minor features (compatibility, OpenSSL):
|
||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||
Previous versions of Tor would not have worked with OpenSSL 1.1.1,
|
||||
since they neither disabled TLS 1.3 nor enabled any of the
|
||||
ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
|
||||
Closes ticket 24978.
|
||||
|
||||
o Minor features (denial-of-service avoidance):
|
||||
- Make our OOM handler aware of the geoip client history cache so it
|
||||
doesn't fill up the memory. This check is important for IPv6 and
|
||||
our DoS mitigation subsystem. Closes ticket 25122.
|
||||
|
||||
o Minor features (fallback directory mirrors):
|
||||
- The fallback directory list has been re-generated based on the
|
||||
current status of the network. Tor uses fallback directories to
|
||||
bootstrap when it doesn't yet have up-to-date directory
|
||||
information. Closes ticket 24801.
|
||||
- Make the default DirAuthorityFallbackRate 0.1, so that clients
|
||||
prefer to bootstrap from fallback directory mirrors. This is a
|
||||
follow-up to 24679, which removed weights from the default
|
||||
fallbacks. Implements ticket 24681.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor features (linux seccomp2 sandbox):
|
||||
- Update the sandbox rules so that they should now work correctly
|
||||
with Glibc 2.26. Closes ticket 24315.
|
||||
|
||||
o Minor bugfix (channel connection):
|
||||
- Use the actual observed address of an incoming relay connection,
|
||||
not the canonical address of the relay from its descriptor, when
|
||||
making decisions about how to handle the incoming connection.
|
||||
Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
|
||||
|
||||
o Minor bugfix (directory authority):
|
||||
- Directory authorities, when refusing a descriptor from a rejected
|
||||
relay, now explicitly tell the relay (in its logs) to set a valid
|
||||
ContactInfo address and contact the bad-relays@ mailing list.
|
||||
Fixes bug 25170; bugfix on 0.2.9.1.
|
||||
|
||||
o Minor bugfixes (address selection):
|
||||
- When the fascist_firewall_choose_address_ functions don't find a
|
||||
reachable address, set the returned address to the null address
|
||||
and port. This is a precautionary measure, because some callers do
|
||||
not check the return value. Fixes bug 24736; bugfix
|
||||
on 0.2.8.2-alpha.
|
||||
|
||||
o Minor bugfixes (compilation):
|
||||
- Fix a signed/unsigned comparison warning introduced by our fix to
|
||||
TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
|
||||
|
||||
o Minor bugfixes (control port, linux seccomp2 sandbox):
|
||||
- Avoid a crash when attempting to use the seccomp2 sandbox together
|
||||
with the OwningControllerProcess feature. Fixes bug 24198; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
|
||||
- Fix a possible crash on malformed consensus. If a consensus had
|
||||
contained an unparseable protocol line, it could have made clients
|
||||
and relays crash with a null-pointer exception. To exploit this
|
||||
issue, however, an attacker would need to be able to subvert the
|
||||
directory authority system. Fixes bug 25251; bugfix on
|
||||
0.2.9.4-alpha. Also tracked as TROVE-2018-004.
|
||||
|
||||
o Minor bugfixes (memory usage):
|
||||
- When queuing DESTROY cells on a channel, only queue the circuit-id
|
||||
and reason fields: not the entire 514-byte cell. This fix should
|
||||
help mitigate any bugs or attacks that fill up these queues, and
|
||||
free more RAM for other uses. Fixes bug 24666; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (network layer):
|
||||
- When closing a connection via close_connection_immediately(), we
|
||||
mark it as "not blocked on bandwidth", to prevent later calls from
|
||||
trying to unblock it, and give it permission to read. This fixes a
|
||||
backtrace warning that can happen on relays under various
|
||||
circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
|
||||
|
||||
o Minor bugfixes (OSX):
|
||||
- Don't exit the Tor process if setrlimit() fails to change the file
|
||||
limit (which can happen sometimes on some versions of OSX). Fixes
|
||||
bug 21074; bugfix on 0.0.9pre5.
|
||||
|
||||
o Minor bugfixes (path selection):
|
||||
- When selecting relays by bandwidth, avoid a rounding error that
|
||||
could sometimes cause load to be imbalanced incorrectly.
|
||||
Previously, we would always round upwards; now, we round towards
|
||||
the nearest integer. This had the biggest effect when a relay's
|
||||
weight adjustments should have given it weight 0, but it got
|
||||
weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
|
||||
- When calculating the fraction of nodes that have descriptors, and
|
||||
all nodes in the network have zero bandwidths, count the number of
|
||||
nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
|
||||
- Actually log the total bandwidth in compute_weighted_bandwidths().
|
||||
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
|
||||
|
||||
o Minor bugfixes (portability, msvc):
|
||||
- Fix a bug in the bit-counting parts of our timing-wheel code on
|
||||
MSVC. (Note that MSVC is still not a supported build platform, due
|
||||
to cryptographic timing channel risks.) Fixes bug 24633; bugfix
|
||||
on 0.2.9.1-alpha.
|
||||
|
||||
o Minor bugfixes (relay):
|
||||
- Make the internal channel_is_client() function look at what sort
|
||||
of connection handshake the other side used, rather than whether
|
||||
the other side ever sent a create_fast cell to us. Backports part
|
||||
of the fixes from bugs 22805 and 24898.
|
||||
|
||||
o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
|
||||
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
||||
0.2.9.4-alpha.
|
||||
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
||||
bugfix on 0.2.9.4-alpha.
|
||||
|
||||
|
||||
Changes in version 0.3.2.9 - 2018-01-09
|
||||
Tor 0.3.2.9 is the first stable release in the 0.3.2 series.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user